Many office and home users will be disturbed when hear this. Apparently, a dangerous and unpatched vulnerability in both Adobe's Acrobat and Reader PDF-reading software has been around a lot longer than previously thought.
This bug has been reported last week for the first time. It has caused concern because it is really easy to exploit and not expected to be patched by Adobe for several weeks. Adobe has been told about the flaw in its Acrobat and Reader software on February 12, but analysis performed by security vendor Sourcefire shows that attackers have actually been using this security flaw for more than six weeks, where the first samples has been found back to January 9.
This critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
So far, this flaw has been used in small-scale attacks against specially targeted individuals. Symantec tracked only 100 attacks, but they have been increasing as attack code that exploits the flaw has gone public. Scary part is that this security bug affects both Mac and Windows users.
Security vendor Sourcefire, that researched this bug, posted an analysis of the flaw on its website on Monday.
http://milw0rm.com/exploits/8099
Also, guys from The Shadowserver Foundation, the organisation that first reported the flaw last Thursday, expect that we’ll see more exploit code show up in following days: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
The vulnerability actually lies in the way that Adobe opens certain files. To be precise, files that have been formatted using the JBIG data compression algorithm. In response to this issue, Adobe said it plans to patch the bug by March 11 (http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue.html), but in the meantime Sourcefire has also released an unsupported patch that fixes the issue.
Unsupported patch can be found here: http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html
Security experts also say that users can also alleviate the attack by disabling JavaScript within their Adobe software. In this scenario Adobe will still crash, but the required heap spray will not occur and code execution will not be possible.
To disable Java, you should do following:
In Acrobat Reader click on Edit > Preferences > JavaScript > uncheck Enable Acrobat JavaScript
According to their statements that showed up lately, Adobe is aware of this issue and actively working to address it. In the meantime multiple Antivirus companies detected this threat. Trend Micro, for example, currently detects this threat as TROJ_PIDIEF.IN.
Symantec have been also detecting Trojan.Pidief.E since February 12, which is most likely the same threat: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-021212-5523-99
As said, Adobe has issued a public advisory about this issue. They plan an update by March 11th, 2009 for Adobe 9 and updates for older versions to follow soon after.
http://www.adobe.com/support/security/advisories/apsa09-01.html
In the meantime, keep an eye on official Adobe site and security news that could provide you with more info and updates on this flaw.
