Adobe Reader exploit spotted in the wild

Adobe is investigating reports that its Reader software contains a gaping hole that is under active exploit by attackers.

Researchers at security firm FireEye's Malware Intelligence Lab said Tuesday that the unpatched vulnerability impacts the latest versions of Reader: 9.5.3, 10.1.5 and 11.0.1. Once malware takes advantage of the flaw, its payload "drops" two dynamic-link libraries, or DLLs, which are application extensions used by executable files to perform a task. In this case, they allow the infected computer to communicate with a hacker-owned server.

"The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks," FireEye said. "The second DLL in turn drops the callback component, which talks to a remote domain."

If the exploit is confirmed, that means it's able to work around beefed-up security protections in Reader, specifically a sandbox capability introduced with Adobe Reader X. The feature is designed to mitigate attacks against Reader by forcing operations that display PDF files to the user to be run inside a confined environment.

David Lenoe, who heads up Adobe's Product Security Incident Response Team, said in a post Tuesday that Adobe currently is evaluating the possible vulnerability.