December 15, 2009, 4:10 PM — Reports that a zero-day vulnerability in Adobe Acrobat and Adobe Reader is being exploited in the wild have been confirmed by Adobe in a blog post. Adobe is exploring the issue to determine how to patch it, but you're on your own in the meantime.
The popular PDF document format has made the Adobe Reader software virtually ubiquitous. Few software products are installed so pervasively that they exist on nearly every system regardless of operating system. For malware developers, targeting flaws in Adobe Reader offers an exceptionally large potential for victims.
The issue reportedly impacts Adobe Reader, and Adobe Acrobat--versions 9.2 and earlier. The good news is that attacks thus far are narrowly-focused, targeted attacks rather than widespread efforts.
Ben Greenbaum, senior research manager for Symantec Security Response, explains "The e-mails Symantec has seen thus far use fairly standard social engineering to try and lure users to open up a malicious PDF file, which Symantec detects as Trojan.Pidief.H. Symantec has an antivirus detection signature for this threat."
The Trojan horse exploits a flaw in the Adobe software to allow it to install additional malware components and further compromise the vulnerable computer. The additional malware could potentially be anything, but Symantec reports that the most prevalent malware associated with this threat right now is some type of information-stealing software.
The Shadowserver Foundation, a security watchdog organization, wrote in a blog post "We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe."
The actual exploit relies on JavaScript. The Shadowserver Foundation and SANS Institute both recommend that you simply disable the execution of JavaScript within the Adobe software. In your Adobe product, go to Edit--Preferences--JavaScript, and uncheck the box next to Enable Adobe JavaScript.
Whether or not you choose to disable JavaScript in Adobe products, you should always exercise some caution and common sense before opening any email attachments. Symantec's Greenbaum points out "In general, users should be very wary of any e-mails they receive from an unknown sender that they aren't expecting. They should never open any attachments from any such e-mail, either."
Greenbaum adds "Many times, these e-mails will try to pressure users into opening the attachment or use scare tactics. If a user gets an e-mail from an unknown sender that tries to pressure them into opening an attachment, it is very likely that the attachment is malware and the e-mail should be deleted immediately."
Follow these precautions and keep your eyes open for an update soon from Adobe to patch the flaws.
Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page.
