Adobe Acrobat Reader blocks certain antimalware solutions from injecting their DLLs into its processes, essentially denying them visibility and creating security risks, ransomware prevention company Minerva Labs reports.
The behavior, which is similar to that of suspicious or malicious applications, is related to Acrobat Reader’s use of the Chromium Embedded Framework (CEF), which has some incompatibility issues with certain security products.
Minerva says it has observed a gradual uptick in this behavior starting March 2022, when libcef.dll – a CEF DLL employed by numerous applications – was updated. The library contains a list of DLLs that are known to cause conflicts, and which are blocked.
“However, any vendor that uses libcef.dll can easily change this DLL list. The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer and also contains the DLLs of […] security products,” Minerva noted.
Acrobat Reader prevents security products from a total of 30 vendors from injecting DLLs into the AcroCEF.exe and RdrCEF.exe processes, which are handling network interactions and multiple document cloud services.
Minerva’s security researchers discovered that Acrobat Reader uses a registry key named bBlockDllInjection to determine whether to check for injected DLLs, and that key is set after the application is executed.
“When ‘bBlockDllInjection’ is set to ‘1’, libcef.dll will perform a loaded DLL check. With the registry key name dBlockDllInjection, and looking at the CEF documentation, we can assume that the blacklisted DLLs are designated to be unloaded,” Minerva noted.
The value of the registry key, the researchers say, is most likely set based on “endpoint environment, version of Acrobat, and other local environmental properties.”
By blocking security products from injecting their DLLs into its processes, Acrobat Reader essentially denies visibility into those processes and their child processes, which creates a security risk.
“It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing,” Minerva said.
The researchers blame Adobe from taking the easy route of immediately addressing a compatibility issue without taking into consideration the security implications of the approach.
Contacted by SecurityWeek, Adobe confirmed it was aware of Minerva’s report and said it has been working with security vendors to resolve the issue.
“We are aware of reports that some DLLs from security tools are incompatible with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues. Adobe remains committed to the security of our products and protecting our customers, and we are addressing the issue with these vendors to ensure proper functionality with Acrobat’s CEF sandbox design going forward,” the company said.
Related: Adobe Plugs 46 Security Flaws on Patch Tuesday
Related: Adobe Patches Gaping Security Holes in Acrobat, Reader
Related: Adobe Warns of ‘Critical’ Security Flaws in Enterprise Products
