
"This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. "Stevens' demo relies on functionality defined in the PDF specification," Adobe said. In an example, he showed how he changed the warning to read: "To view the encrypted message in this PDF document, select 'Do not show this message again' and click the Open button."Īlthough Adobe acknowledged seeing Stevens' no-bug-needed proof-of-concept, it didn't commit to making any change in Reader, the popular PDF viewer. But Stevens found a way to tweak Adobe's message to further camouflage the attack.



And Stevens said he found a way to modify Adobe's warning.Īdobe Reader will display a message saying that launching code could harm the computer, so a user would need to approve the action. That kind of social engineering-based attack is nothing new, but until now hackers needed an exploit of an unpatched software vulnerability to pull off a successful attack delivered via PDFs.Īdobe Reader displays a warning when an executable inside a PDF file is launched, but Foxit Reader does not.
