The Portable Document Format, or PDF for short, has always been a popular way of distributing documents. It’s no surprise then that cybercriminals have tried to use it as a means of spreading malicious files.
Yesterday, the Shadowserver Foundation underlined the severity of this problem when they released details about a new vulnerability in versions of both Adobe Acrobat and Adobe Reader. Folks at Adobe assured users that they are working on a patch, to be released in March.
Trend Micro already detects files that exploit the new vulnerability as TROJ_PIDIEF.IN. These specially crafted PDF files crash Acrobat and/or Reader–but not before they drop malicious files onto the affected system. The exact malware that is dropped varies, but includes backdoors like BKDR_NETCL.A, and other software exploits like EXPL_EXECOD.A. The potential of an exploit like this is only limited by the imagination of cybercriminals. It spreads the same way normal PDF files can be distributed–either as an email attachment, or downloaded from Websites.
Until Adobe patches this issue, users should exercise caution with PDF files that come from untrusted sources. Using third-party PDF readers such as Foxit will also reduce the threat. In addition, it is highly recommended to disable JavaScript rendering.
Update as of 22 February 2009, 7PM PST
Users who do not want to install an alternative PDF reader could disable Acrobat JavaScript. This would stop the exploit, because its vector is through JS. This option is in Edit>Preferences, under JavaScript settings.
Figure 1. How to disable Adobe JS.
More information on this vulnerability, as well as all the related malware, could be found on the Trend Micro security advisories page.
