Another Adobe PDF Exploit in the Wild

McAfee Avert Labs is tracking an active exploitation of a recently patched vulnerability in Adobe Acrobat Reader now in the wild. The current vulnerability can be embedded in a PDF file and manipulated through Adobe JavaScript.

The first evidence of such maliciously crafted PDF files was posted to an Italian message forum from an alert administrator who noted that three of his workstations had been infected. Successful exploitation leads to the embedded JavaScript being executed on the victim’s machine. The script attempts to download a Trojan from an IP address in the Netherlands.

This exploit works for both browser-based and email attack vectors and affects the following Adobe products:

• Adobe Reader 8.1.1 and earlier versions
• Adobe Acrobat Professional, 3D, and Standard 8.1.1 and earlier versions

Complete mitigation requires upgrading Acrobat and Adobe Reader 7.x and 8.x to Version 8.1.2.

Malware authors will find this technique of using exploit-laden PDF files in spear phishing attacks very profitable–especially since the Portable Document Format (PDF) is a de-facto standard for exchanging electronic documents online. PDF files have traditionally been unfiltered at the gateway and until recently were considered risk free–in contrast to the notorious history associated with Microsoft Office documents.

With the release of Windows Vista and Microsoft Office 2007, however, Microsoft has made it more difficult for attackers to use buffer overflow exploits. Thus we expect to see exploit writers target the lower hanging fruit. Exploiting vulnerabilities in popular applications from Adobe, Apple, or RealPlayer are proving to be just as advantageous and profitable for the bad guys.

We strongly advise users running vulnerable versions of Adobe Reader and Acrobat to update them from the Adobe site. McAfee users are protected against these maliciously crafted PDF files with today’s 5227 DAT release, which detects them as Exploit-PDF.b.