Didier Stevens, security researcher and expert on malicious PDF files, has succeeded in creating a proof-of-concept PDF file that uses the launch action triggered by the opening of the file to execute the embedded malicious executable.
What makes this piece of news really interesting is that he didn’t exploit a security vulnerability in the PDF file, but he found a way to start the /Launch /Action command and embed the malicious file using a special technique.
The only thing standing in the way of an immediate execution of the embedded file is the warning pop-up displayed by Adobe Reader – but even this can be (partially) modified by the attacker, as shown here:
The lower part of the message can be thus changed into a text that could use a number of social engineering approaches to make the user proceed with the opening of the file.
The situation is worse with Foxit Reader, where such a message doesn’t pop-up and the malicious file is executed automatically:
Stevens hasn’t published the PoC PDF yet, but has shared it with Adobe’s Response Team. He also mentions that to prevent this kind of attack, one must simply prevent Adobe Reader from creating new processes, but doesn’t mention what to do if you use Foxit.