Pwn2Own 2020: opening a pdf can be enough to compromise system!
but still it is there… and Adobe knows about it:
EMOTET is coming via encpryted (!) PDF files undtected by AntiVirus scanners.
First of all update one’s Adobe Reader to latest available version…
- Choose Edit > Preferences (Windows) or Acrobat / Acrobat Reader > Preferences (Mac OS).
nobody knows how protected one is with protected mode… and what it actually does?
“By default, Adobe Reader DC runs in protected mode to provide an added layer of security.
In protected mode, malicious PDF documents can’t launch arbitrary executable files or write to system directories or the Windows Registry.
To check the status of protected mode, choose File > Properties > Advanced > Protected Mode.
- Choose Edit > Preferences
- n the Categories list on the left, select Security (Enhanced)
- click View Log to open the log file.In the Sandbox Protections section, select or deselect Enable Protected Mode At Startup.
- Enable Create Protected Mode Log File to record events. The changes take effect the next time you start the application.”
how effective this sandbox is… nobody knows…
Sandboxing is a technique developers use to create a confined execution environment for running untrusted programs.
In the context of Acrobat products, an “untrusted program” is any PDF and the processes it invokes.
By default, the product assumes any PDF is potentially malicious and confines all processing to a sandbox.
Sandboxes are typically used when data (such as documents or executable code) arrives from an untrusted source.
A sandbox limits, or reduces, the level of access its applications have.
For example, creating and executing files and modifying system information such as certain registry settings and other control panel functions are prohibited.
If a process P runs a child process Q in a sandbox, then Q’s privileges would typically be restricted to a subset of P’s.
For example, if P is running on a system, then P may be able to look at all processes on the system.
Q, however, will only be able to look at processes that are in the same sandbox as Q.
Barring any vulnerabilities in the sandbox mechanism itself, the scope of potential damage caused by a misbehaving Q is reduced.
For details, see the Application Security Guide at www.adobe.com/go/learn_acr_appsecurity_en.