Adobe has issued a new security advisory concerning Adobe Acrobat, its line of PDF software. All current versions of Reader and Acrobat are known to be vulnerable across all supported platforms—Windows and Mac for Acrobat and Windows, Mac, and Unix for Reader. According to the advisory, an attacker could use the vulnerability to “to take control of the affected system,” meaning random code could be executed on user systems.
Trend Micro has already found malicious files that exploit this vulnerability. These are detected as TROJ_PIDIEF.WM. In turn, this file drops a downloader (TROJ_DLOADR.WM), which leads to another downloader, TROJ_CHIFRAX.BU. More PIDIEF variants that exploit this vulnerability are sure to be spotted in the next few days.
The URLs where TROJ_CHIFRAX.BU is located and downloads malware from are currently unavailable. Curiously, even if the website was registered on the .US top-level domain, WHOIS records indicate the registrant is in Hong Kong. In addition, the servers that actually host the site are located in Germany and the United States. This indicates that some effort was placed into hiding the actual persons responsible for this attack.
In addition, the dropped malicious file is signed, much like the earlier Stuxnet malware. This time, the certificate of a legitimate American credit union was used:
Adobe has not stated when security updates will be made available, saying only that they are “evaluating the schedule” for a potential fix. They have advised their users to keep their antivirus software updated to protect themselves until a fix is made available.
This is the second major zero-day vulnerability that Adobe has had to deal with in 2010. The first one, which affected both Acrobat and Flash, was discussed in the Malware Blog post, “Zero-Day Flash/Acrobat Exploit Seen in the Wild.” The timeline of that particular incident—where a flaw revealed early in the month was fixed by the end of the month—suggests a fix will come in the next few weeks.
Trend Micro protects users from this attack via its Trend Micro™ Smart Protection Network™ that detects the malicious files currently exploiting this vulnerability as well as blocks the URLs related to this threat.
Update as of October 6, 2010
Adobe has released an update to fix this vulnerability. Details may be found in this security bulletin.