Exploits expected to grow for Adobe Reader zero-day bug

Share this article:

Adobe is looking into what researchers term a "very bad" zero-day vulnerability in its popular Reader and Acrobat software.

The flaw is being actively exploited through the spread of malicious PDF files, according to Symantec. The executable is disguised as part of an email attachment. If users who have any version of Reader or Acrobat installed on their machines were to click on the attachment -- even if their PCs are fully patched -- they will be hit with the exploit.

Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazineUS.com on Tuesday that malware will be installed on the victim's computer and a secondary download also is likely to occur, which will install a trojan that attempts to steal financial data by hijacking keystrokes. Affected machines also likely will become part of a botnet.

The exploit currently is being perpetrated in limited attacks in which specific individuals are being targeted through slick social engineering schemes, Greenbaum said. Such a scenario almost certainly will become more widespread over the coming days.

"Depending on how long Adobe takes to get a patch out, this is something that is very likely to be added to the attacker's toolkit," Greenbaum said. "This is going to be a commodity, I would guess, in short order."

David Lenoe, a security program manager at Adobe, said Monday in a blog post that the vulnerability impacts Reader and Acrobat 9.2 and earlier versions.

"We are currently investigating this issue and assessing the risk to our customers," he said.

The Shadowserver Foundation, an all-volunteer internet security watchdog, said the exploit has been leveraged since at least Friday, and anti-virus providers are providing "little to no detection" of the malicious PDFs being used.

"We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue," Shadowserver members Steven Adair and Matt Richard wrote in a blog post Monday. "This is legit and is very bad."

The pair recommends organizations consider disabling JavaScript in Reader.

Meanwhile, the SANS Internet Storm Center on Tuesday posted details on one of the exploit samples it received.

Despite efforts to harden its code in light of a number of high-profile zero-days, Adobe's PDF has become one of the most targeted file types. Greenbaum said this jibes with the threat landscape's overall shift toward client-side exploits.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.