Does Acrobat Reader Unload Injection of Security Products?
Since March of 2022 we’ve seen a gradual uptick in Adobe Acrobat Reader processes attempting to query which security product DLLs are loaded into it by acquiring a handle of the DLL. The significant rise over the recent months caught our attention as it is very unusual behavior for Adobe.
The requests originated from libcef.dll (a Chromium Embedded Framework (CEF) Dynamic Link Library which is used by many programs) which was indeed updated in March 2022.
The basic documentation for the Chromium DLL contains a short list of DLLs that have been blacklisted by them for causing conflictions.
However, any vendor that uses libcef.dll can easily change this DLL list. The hard-coded DLL list in the Adobe libcef.dll version we checked had been edited and was surprisingly longer and also contains the DLLs of the following security products:
Libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe. Both these files are “handling multiple integral aspects of the application, such as network interaction and Document Cloud services (Fill and Sign, Send for Signature, Share for View/Review, and so on)”. As both use the same DLL, we found that both of them check for the security products mentioned above.
