Well I guess it’s better late than never… Or not.
Apparently, one of the three recently revealed bugs on Adobe Reader has already been actively exploited by hackers for at least three weeks before it was patched. That’s after thousands had already been affected.
Discovered by iDefense Labs researcher Greg McManus, this exploit was initially reported to Adobe in October 2007 but remained unacknowledged. SANS Internet Storm Center reported that the flaw remained unfixed, only to be patched three weeks after the first report of an exploit was found in an Italian forum.
Served up through banner ads or spammed through email, the malicious PDF file designed to exploit this vulnerability connects to a certain IP address to download possibly malicious files. This exploit, identified as CVE-2008-0655, affects the following Adobe software versions:
- Adobe Reader 8.1.1 and earlier versions
- Adobe Acrobat Professional, 3D and Standard 8.1.1 and earlier versions
This exploit is detected by Trend Micro as EXPL_PIDIEF.O.
Adobe has already released the security update that addresses the said exploit and has strongly recommended users to update their versions to avoid being affected. The patch is available at the Adobe Security Advisories page.
Software vendors should take immediate measures in fixing flaws and not give malware authors the time to take advantage. Such incidents indicate the importance of not only the effectivity of responses, but their timeliness as well.