As previously mentioned, I found a flaw in Adobe fix of “/Launch” fucntion on June 29. Then I discussed with Adobe, via email, about the flaw and how to fix it. Particularly, I suggested 2 options to fix the flaw completely:

• The first option, Adobe should compare the extension of the file found by FindExecutableW function with the blacklist instead of using the initial parameter of /Launch.

• The second option, normally, Adobe Reader calls ShellExecuteExW API to execute “/Launch” function. Inside this Windows API, there are two times function PathUnquoteSpaceW called to remove quotes from the path, before execution. So, why not calling function PathUnquoteSpaceW to delete the quotes from parameters before compare with blacklist?

On August 19, Adobe released new updates making some changes to Adobe Reader, including the /Launch fix. I tried the patch update and found that the fix is like the second option suggested.

PathUnquoteSpaceW is called twice before compared with blacklist

Hopefully, this will be the final information about Adobe /Launch vulnerability.

Le Manh Tung
Senior Security Researcher