Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Adobe Acrobat Reader Shuns Security Products Due to Compatibility Issues

Adobe Acrobat Reader blocks certain antimalware solutions from injecting their DLLs into its processes, essentially denying them visibility and creating security risks, ransomware prevention company Minerva Labs reports.

Adobe Acrobat Reader blocks certain antimalware solutions from injecting their DLLs into its processes, essentially denying them visibility and creating security risks, ransomware prevention company Minerva Labs reports.

The behavior, which is similar to that of suspicious or malicious applications, is related to Acrobat Reader’s use of the Chromium Embedded Framework (CEF), which has some incompatibility issues with certain security products.

Minerva says it has observed a gradual uptick in this behavior starting March 2022, when libcef.dll – a CEF DLL employed by numerous applications – was updated. The library contains a list of DLLs that are known to cause conflicts, and which are blocked.

“However, any vendor that uses libcef.dll can easily change this DLL list. The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer and also contains the DLLs of […] security products,” Minerva noted.

Acrobat Reader prevents security products from a total of 30 vendors from injecting DLLs into the AcroCEF.exe and RdrCEF.exe processes, which are handling network interactions and multiple document cloud services.

Minerva’s security researchers discovered that Acrobat Reader uses a registry key named bBlockDllInjection to determine whether to check for injected DLLs, and that key is set after the application is executed.

“When ‘bBlockDllInjection’ is set to ‘1’, libcef.dll will perform a loaded DLL check. With the registry key name dBlockDllInjection, and looking at the CEF documentation, we can assume that the blacklisted DLLs are designated to be unloaded,” Minerva noted.

The value of the registry key, the researchers say, is most likely set based on “endpoint environment, version of Acrobat, and other local environmental properties.”

By blocking security products from injecting their DLLs into its processes, Acrobat Reader essentially denies visibility into those processes and their child processes, which creates a security risk.

“It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing,” Minerva said.

The researchers blame Adobe from taking the easy route of immediately addressing a compatibility issue without taking into consideration the security implications of the approach.

Contacted by SecurityWeek, Adobe confirmed it was aware of Minerva’s report and said it has been working with security vendors to resolve the issue.

“We are aware of reports that some DLLs from security tools are incompatible with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues. Adobe remains committed to the security of our products and protecting our customers, and we are addressing the issue with these vendors to ensure proper functionality with Acrobat’s CEF sandbox design going forward,” the company said.

Related: Adobe Plugs 46 Security Flaws on Patch Tuesday

Related: Adobe Patches Gaping Security Holes in Acrobat, Reader

Related: Adobe Warns of ‘Critical’ Security Flaws in Enterprise Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...