When Adobe Reader is installed on a system, it adds an IFilter that allows applications such as the Windows Indexing Service to index PDF files. If the Windows Indexing Service processes a malicious PDF file stored on the system, the vulnerability can be exploited. Exploitation using this technique can require little to no user interaction.
In addition to adding an IFilter, the Adobe Acrobat and Reader installation process adds a Windows Explorer Shell Extension. If Windows Explorer displays a folder that contains a malicious PDF file, the vulnerability can be exploited. Exploitation using this technique also requires little to no user interaction.
US-CERT encourages users and administrators to incorporate the following workarounds to help mitigate the risks:
- Locate and unregister the Adobe Reader IFilter using: regsvr32 /u AcroRdIF.dll
- Locate and unregister the Adobe Acrobat IFilter using: regsvr32 /u AcroIF.dll
- Disable Adobe Acrobat Windows Shell integration to help mitigate the risk. This can be disabled by executing the following command: regsvr32 /u “%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll”