Exploits expected to grow for Adobe Reader zero-day bug

Share this article:

Adobe is looking into what researchers term a "very bad" zero-day vulnerability in its popular Reader and Acrobat software.

The flaw is being actively exploited through the spread of malicious PDF files, according to Symantec. The executable is disguised as part of an email attachment. If users who have any version of Reader or Acrobat installed on their machines were to click on the attachment -- even if their PCs are fully patched -- they will be hit with the exploit.

Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazineUS.com on Tuesday that malware will be installed on the victim's computer and a secondary download also is likely to occur, which will install a trojan that attempts to steal financial data by hijacking keystrokes. Affected machines also likely will become part of a botnet.

The exploit currently is being perpetrated in limited attacks in which specific individuals are being targeted through slick social engineering schemes, Greenbaum said. Such a scenario almost certainly will become more widespread over the coming days.

"Depending on how long Adobe takes to get a patch out, this is something that is very likely to be added to the attacker's toolkit," Greenbaum said. "This is going to be a commodity, I would guess, in short order."

David Lenoe, a security program manager at Adobe, said Monday in a blog post that the vulnerability impacts Reader and Acrobat 9.2 and earlier versions.

"We are currently investigating this issue and assessing the risk to our customers," he said.

The Shadowserver Foundation, an all-volunteer internet security watchdog, said the exploit has been leveraged since at least Friday, and anti-virus providers are providing "little to no detection" of the malicious PDFs being used.

"We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue," Shadowserver members Steven Adair and Matt Richard wrote in a blog post Monday. "This is legit and is very bad."

The pair recommends organizations consider disabling JavaScript in Reader.

Meanwhile, the SANS Internet Storm Center on Tuesday posted details on one of the exploit samples it received.

Despite efforts to harden its code in light of a number of high-profile zero-days, Adobe's PDF has become one of the most targeted file types. Greenbaum said this jibes with the threat landscape's overall shift toward client-side exploits.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.