Malware, Patch/Configuration Management, Vulnerability Management

Exploits expected to grow for Adobe Reader zero-day bug

Adobe is looking into what researchers term a "very bad" zero-day vulnerability in its popular Reader and Acrobat software.

The flaw is being actively exploited through the spread of malicious PDF files, according to Symantec. The executable is disguised as part of an email attachment. If users who have any version of Reader or Acrobat installed on their machines were to click on the attachment -- even if their PCs are fully patched -- they will be hit with the exploit.

Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazineUS.com on Tuesday that malware will be installed on the victim's computer and a secondary download also is likely to occur, which will install a trojan that attempts to steal financial data by hijacking keystrokes. Affected machines also likely will become part of a botnet.

The exploit currently is being perpetrated in limited attacks in which specific individuals are being targeted through slick social engineering schemes, Greenbaum said. Such a scenario almost certainly will become more widespread over the coming days.

"Depending on how long Adobe takes to get a patch out, this is something that is very likely to be added to the attacker's toolkit," Greenbaum said. "This is going to be a commodity, I would guess, in short order."

David Lenoe, a security program manager at Adobe, said Monday in a blog post that the vulnerability impacts Reader and Acrobat 9.2 and earlier versions.

"We are currently investigating this issue and assessing the risk to our customers," he said.

The Shadowserver Foundation, an all-volunteer internet security watchdog, said the exploit has been leveraged since at least Friday, and anti-virus providers are providing "little to no detection" of the malicious PDFs being used.

"We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue," Shadowserver members Steven Adair and Matt Richard wrote in a blog post Monday. "This is legit and is very bad."

The pair recommends organizations consider disabling JavaScript in Reader.

Meanwhile, the SANS Internet Storm Center on Tuesday posted details on one of the exploit samples it received.

Despite efforts to harden its code in light of a number of high-profile zero-days, Adobe's PDF has become one of the most targeted file types. Greenbaum said this jibes with the threat landscape's overall shift toward client-side exploits.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.