Jun 22, 2022 12:30:00

Pointed out that Adobe Acrobat is preventing PDF files from being checked by security software

Researchers at security company

Minerva Labs report that Adobe Acrobat, a PDF file creation and editing tool developed by Adobe , and Acrobat Reader , a PDF viewing tool, 'try to prevent security software from monitoring open PDFs.' I did. There are concerns that increasing the security risk by making it impossible to monitor malicious activity in PDF files.

Does Acrobat Reader Unload Injection of Security Products?
https://blog.minerva-labs.com/does-acrobat-reader-unload-injection-of-security-products

Adobe Acrobat may block antivirus tools from monitoring PDF files
https://www.bleepingcomputer.com/news/security/adobe-acrobat-may-block-antivirus-tools-from-monitoring-pdf-files/

For security software to function properly, it is important to be able to monitor all processes on the installed system. This is achieved by injecting a dynamic link library (DLL) into a software product that launches on the system.

However, researchers at Minerva Labs wrote in a blog on June 20, 2022, 'Since March 2022, the process of Adobe Acrobat Reader trying to query which security product's DLL is loaded is gradually increasing. I will. ' This query is issued by the Chromium Embedded Framework (CEF) DLL 'libcef.dll' and has detected 30 security software DLLs such as Trend Micro, BitDefender, Avast, McAfee, Symantec, Malwarebytes, ESET, and Kaspersky. that's right.

libcef.dll is running in two Adobe processes, AcroCEF.exe and RdrCEF.exe, and it seems that both Adobe Acrobat and Acrobat Reader are checking the same security software. When researchers looked into libcef.dll, they found that it was unloading the blacklisted security software DLL and blocking monitoring of PDF files.

Minerva Labs could have 'catastrophic consequences' for this behavior, as if the DLL injection of security software into a process is blocked, the visibility of the process will be impaired and security issues will not be detected. I warn you that there is. In fact, multiple

attack methods using PDF files have been reported so far, and there is a concern that blocking monitoring of PDF files will increase security risks.

Minerva Labs said that this phenomenon was a common behavior in malware, so Adobe Acrobat also assumed that it might have been hit by a supply chain attack. However, when Minerva Labs contacted Adobe about this, Adobe said, 'Some security software DLLs have compatibility issues with Adobe Acrobat, which can compromise software stability.' Therefore, he answered that he is blocking the DLL of the security software.

Minerva Labs said, 'Adobe seems to be choosing an approach that solves compatibility issues immediately, but it can cause new issues from a security perspective.' 'This is where big companies prioritize convenience. It's a classic case of inserting essentially malware-like behavior into software rather than actually solving the problem at hand, 'he criticized Adobe's response.

Also, when the tech media Bleeping Computer contacted Adobe, they acknowledged that Adobe was blocking the DLL of the security software due to compatibility issues, and worked with the vendor to address the issue in the future. He said that he would ensure proper functionality with Adobe Acrobat.