Symantec confirms zero-day Acrobat, Reader attack
Symantec on Tuesday confirmed a vulnerability in Adobe Acrobat and Reader and said it was being exploited by a Trojan hidden in e-mail attachments.
The malicious Adobe Acrobat PDF file is distributed via an e-mail attachment that "drops and executes when opened on a fully patched system with either Adobe Acrobat or Reader installed," Symantec said in a statement.
Symantec identified the file as Trojan Pidief.H, which targets Windows 98, 95, XP, Windows Me, Vista, NT, 2000 and Server 2003.
The rate of infection is extremely limited and the risk assessment level is very low, according to Symantec.
The exploit has been in the wild since at least last Friday, according to the Shadow Server blog.
"Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable," the post says. "We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad."
The vulnerability is in a JavaScript function within Adobe Acrobat Reader itself, the Shadow Server post says, before advising users to disable JavaScript.
Adobe posted a security advisory late on Tuesday saying that it had confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could crash the system and allow an attacker to take control of the computer.
Affected software is Reader 9.2 and earlier for Windows, Macintosh, and Unix, and Acrobat 9.2 and earlier for Windows and Macintosh, Adobe said. The company recommended disabling JavaScript to protect the system.
Adobe had said on Monday night that it was investigating reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.
Adobe has increasingly had to deal with holes in and exploits targeting its popular software. Adobe issued updates in October that fixed nearly 30 holes in Reader and Acrobat 9.2. Earlier that month, Trend Micro reported on a zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat.
In July, Adobe warned of attacks in which malicious PDF files were exploiting a vulnerability in Flash. And in April a new Reader hole emerged after Adobe fixed a two-month-old critical vulnerability in Adobe Reader 9 and Acrobat 9.
Updated 5:10 p.m. PST with Adobe confirming vulnerability.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
I'm kinda getting annoyed by all these exploits of late...
- by heulenwolf December 16, 2009 7:53 AM PST
- I have yet to find a PDF where disabling Javascript in the Reader caused any problem with viewing it. I'm not saying that Javascript in PDFs isn't useful to anyone, but it certainly hasn't been to me. I'd suggest disabling Javascript in the Reader as a general rule. I use Foxit Reader instead of Adobe's, which is a much smaller target, and still disable to Javascript. You can always re-enable in the rare occurance that you need it. That way, you're at least aware that a script is going to run and can re-evaluate whether you trust where the PDF came from. If someone out there uses PDFs with Javascript every day, please post! I'm curious what its used for in non-exploit cases.
- Like this Reply to this comment
-
(6 Comments)