Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Adobe Acrobat Reader Shuns Security Products Due to Compatibility Issues

Adobe Acrobat Reader blocks certain antimalware solutions from injecting their DLLs into its processes, essentially denying them visibility and creating security risks, ransomware prevention company Minerva Labs reports.

Adobe Acrobat Reader blocks certain antimalware solutions from injecting their DLLs into its processes, essentially denying them visibility and creating security risks, ransomware prevention company Minerva Labs reports.

The behavior, which is similar to that of suspicious or malicious applications, is related to Acrobat Reader’s use of the Chromium Embedded Framework (CEF), which has some incompatibility issues with certain security products.

Minerva says it has observed a gradual uptick in this behavior starting March 2022, when libcef.dll – a CEF DLL employed by numerous applications – was updated. The library contains a list of DLLs that are known to cause conflicts, and which are blocked.

“However, any vendor that uses libcef.dll can easily change this DLL list. The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer and also contains the DLLs of […] security products,” Minerva noted.

Acrobat Reader prevents security products from a total of 30 vendors from injecting DLLs into the AcroCEF.exe and RdrCEF.exe processes, which are handling network interactions and multiple document cloud services.

Minerva’s security researchers discovered that Acrobat Reader uses a registry key named bBlockDllInjection to determine whether to check for injected DLLs, and that key is set after the application is executed.

“When ‘bBlockDllInjection’ is set to ‘1’, libcef.dll will perform a loaded DLL check. With the registry key name dBlockDllInjection, and looking at the CEF documentation, we can assume that the blacklisted DLLs are designated to be unloaded,” Minerva noted.

The value of the registry key, the researchers say, is most likely set based on “endpoint environment, version of Acrobat, and other local environmental properties.”

By blocking security products from injecting their DLLs into its processes, Acrobat Reader essentially denies visibility into those processes and their child processes, which creates a security risk.

“It would be easy enough for a threat actor to add a command in the ‘OpenAction’ section of a pdf, which can then execute PowerShell, which could for example, download the next stage malware and execute it reflectively. Any of these actions would not be detected if the security product hooks are missing,” Minerva said.

The researchers blame Adobe from taking the easy route of immediately addressing a compatibility issue without taking into consideration the security implications of the approach.

Contacted by SecurityWeek, Adobe confirmed it was aware of Minerva’s report and said it has been working with security vendors to resolve the issue.

“We are aware of reports that some DLLs from security tools are incompatible with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues. Adobe remains committed to the security of our products and protecting our customers, and we are addressing the issue with these vendors to ensure proper functionality with Acrobat’s CEF sandbox design going forward,” the company said.

Related: Adobe Plugs 46 Security Flaws on Patch Tuesday

Related: Adobe Patches Gaping Security Holes in Acrobat, Reader

Related: Adobe Warns of ‘Critical’ Security Flaws in Enterprise Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Endpoint Security

Red Hat announced on Tuesday the general availability of a malware detection service for Red Hat Enterprise Linux (RHEL) systems.