Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Kelly Jackson Higgins, Editor-in-Chief, Dark Reading
December 15, 2009
3 Min Read
Adobe's Reader and Acrobat PDF applications have been hit by a new attack exploiting an unpatched vulnerability in the pervasive tools. So far the exploit has been used mostly in targeted attacks, but researchers say it could soon spread now that the cat is out of the bag.
Adobe late yesterday issued a brief update about the as-yet undisclosed vulnerability in Acrobat Reader and Acrobat 9.2 and previous versions that's being exploited in the wild. The vendor says it will issue a patch on January 12 in conjunction with its quarterly update schedule. "This vulnerability (CVE-2009-4324) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe says.
Ben Greenbaum, senior research manager for Symantec Security Response, says the exploit similar to previous ones for Reader and Acrobat as well as for other client-side attacks. "This is the preferred method of attack for criminals the past couple of years. They will discover vulnerabilities in the software that runs on the end user machine" for processing remote content, he says. "It's used to install some kind of malware that logs keystrokes and records financial transactions, [for example] and sends that information back to the attacker."
And like similar attacks, this one also recruits the victim to its botnet so that it can issue updates of its malware to the machine.
It works like this: the user is sent a socially engineered email with a PDF attachment. When the victim opens the malicious PDF, his machine is pushed a Trojan that then installs the Infostealer family of malware that logs keystrokes, captures screenshots, and sends that information to its controller, Greenbaum says. Symantec has christened the Trojan as Trojan.Pidief.H.
So far, the exploit has been hitting a small number of victims and it appears to be targeted, researchers say. "But it could very easily be added to toolkits. At that point, exploitation would become more widespread," Greenbaum says. So far, it arrives with an urgent email message, some of which is in broken English, indicating the attack comes from a location where English isn't the primary language, he says.
So far, only a handful of antivirus products can detect the exploit, including McAfee's GW Edition, eSafe, NOD32, Symantec, and Kaspersky Lab.
Even once this zero-day gets patched, don't expect the bad guys to give up on Adobe apps. The wildly popular Acrobat Reader is found on most users' machines. "Attackers typically go after software packages that are deployed most widely. It's a business decision to get a better return on their investment," Greenbaum says. "That's part of the reason for the repeated targeting of Adobe product ... everyone has it on their computer, so you're going to have the broadest possible audience."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
Editor-in-Chief, Dark Reading
Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.
You May Also Like
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics