Adobe identified a critical vulnerability in Adobe Acrobat and Reader on Tuesday, but said today that attackers were already exploiting this bug. All versions of Acrobat and Reader 8 and 9 for Windows, Macintosh, and Unix are open to attack. Even the latest versions, 8.2.4 and 9.3.4 are not safe. Other PDF reading alternatives, such as Foxit Reader, are not affected.
Masquerading as a harmless PDF file, this exploit has malformed font and image files. Spreading as an e-mail attachment to innocent-sounding emails, the PDF saves and runs an executable file to disk when it’s opened. A variation of the email offers tips on ways to improve your golf game. Security firm Trend Micro spotted a variation with a Trojan, TROJ_PIDIEF.WM, that downloaded two other Trojans called TROJ_DLOADR.WM and TROJ_CHIFRAX.BU.
This vulnerability bypasses Windows 7’s vaunted security measures. The executable file that gets saved carries a valid digital signature, so Windows 7 allows the operation. Because a valid signature pretty much tells Windows 7 that it’s a safe file, this executable is free to download more malicious code from a server at academyhouse.us. According to Kaspersky Lab, the file appears to be form Vantage Credit Union in St. Louis. It also piggybacks on loopholes created by applications that haven’t included Windows 7’s ASLR security technology in their own code.
Adobe “is in the process of evaluating the schedule for an update to resolve this vulnerability,” and hasn’t announced any fixes or patches. The regularly scheduled patch date is Oct. 13, but an emergency patch is not out of the question.
There are reports that turning off JavaScript in Adobe Reader stops the PDF file from executing. This is only a temporary measure, as attackers can tweak the exploit to issue variations that are immune to disabling JavaScript.
