Adobe flaw risks exploitation

8 Jan 2010

Security experts are warning that an unpatched Adobe PDF vulnerability due to be fixed in the vendor's upcoming 12 January quarterly security update is actively being exploited in the wild.

The flaw in Acrobat and Reader software, which was first discovered in mid-December, could allow a hacker to cause a system crash and potentially take control of an affected PC.

Despite reports at the time that the flaw was actively being exploited, Adobe's director of product security and privacy, Brad Arkin, explained that the firm would not be working on a fix prior to the 12 January quarterly update because it could "negatively impact the timing of the next quarterly security update".

However, hackers appear to be stepping up their activities. A posting on security vendor Trend Micro's blog today said that a new PDF sample exploiting the same unpatched vulnerability in Acrobat and Reader has been spotted in the wild.

"The sample (detected by Trend Micro as TROJ_PIDIEF.WIA) uses the heap spray technique to execute shellcode in its stream. As a result, a malicious file detected as BKDR_POISON.UC is dropped into the system," the blog noted.

"When executed, BKDR_POISON.UC opens an instance of Internet Explorer and connects to a remote site, cecon.{BLOCKED}-show.org. Once connected, a malicious user may execute any command on the affected system."

Until 12 January, Adobe is recommending customers to either disable JavaScript in Reader and Acrobat or, for those running versions 9.2 or 8.1.7, to use the JavaScript Blacklist Framework.

print this article