A vulnerability in Adobe Reader and Acrobat has been detected with exploits already being made.
In an update on its product security incident response team, product security program manager at Adobe, David Lenoe, said: “This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324). We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information.”
Writing on the Shadowserver blog, Steven Adair and Matt Richard confirmed that it was a zero-day vulnerability that affects several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. They also said that they had not tested on 7.x, but it may also be vulnerable.
They said: “We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least 11th December, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more widespread in the next few weeks and unfortunately potentially become fully public within the same timeframe.”
They also said that they would not publish the details related to the exploit as there is currently no patch or update available that completely protects against this exploit and there is little to no detection of these malicious PDF files from most of the major anti-virus vendors.
Orla Cox, security operations manager at Symantec, said: “The vulnerability will be covered as we are already seeing exploits that will be leveraged for malware, and any crafted PDF can use the vulnerability to drop malware. We are seeing it happening but in this case it was expected, and the worst-case scenario is for it not to be widespread but that the vulnerability in the PDF does get exploited.
Regarding a potential patch, Cox commented that Microsoft is more prepared but Adobe does take this seriously. “They are trying to take a better approach and we know that they are working on this already.”