Adobe Acrobat users might be at risk after security researchers found that the software may block antivirus programs from checking into PDF files, which also denies these AV tools from monitoring if a PDF file is infected with malicious trojans.
Most security tools require visibility into a computer system’s software and processes. To be able to do this, antivirus programs inject DLLs or dynamic-link libraries into the applications of the computer or device.
One of the software products mostly found on people’s computers is the Adobe Acrobat Reader since it is helpful for the users to view, read, and sometimes edit PDF files. However, cybercriminals have also been rampant in abusing PDF readers to distribute malware on their victims’ machines.
According to studies, experts have observed the rising attempts of the Adobe Acrobat Reader to query the DLLs that the AV programs load by obtaining a DLL’s handle. The list of queried DLLs has already grown to 30, including ones from the most patronised vendors like Avast, Symantec, Sophos, Emsisoft, Bitdefender, Trend Micro, and Malwarebytes.
Adobe Acrobat queries the system through a Chromium Embedded Framework (CEF) Dynamic Link Library ‘libcef.dll.’
Vendors that use Chromium DLL could modify some components even though some of them could be blacklisted due to conflicts it can cause. Two processes load the ‘libcef.dll’ in Adobe, including AcroCEF[.]exe and RdrCEF[.]exe; thus, these two processes check a computer’s system for components from the same security programs.
During the Adobe processes, the system checks if the value ‘bBlockDllInjection’ is set to 1 under its proper registry key folder since this setup would prevent any AV programs from being inserted within processes. Users must know that the default registry key value for the Adobe Acrobat Reader is set to 0. If the registry key is adjusted to 1, security researchers imply that it has been modified to actively block a specific program or software.
Previous reports from several users have already been raised, which concern some AV programs being detected as incompatible with Adobe Acrobat’s CEF library use. Adobe clarifies that they are aware of these issues and added that they are working with the affected AV vendors to address the problems.
