Adobe late yesterday issued a brief update about the as-yet undisclosed vulnerability in Acrobat Reader and Acrobat 9.2 and previous versions that's being exploited in the wild. The vendor says it will issue a patch on January 12 in conjunction with its quarterly update schedule. "This vulnerability (CVE-2009-4324) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe says.
Ben Greenbaum, senior research manager for Symantec Security Response, says the exploit similar to previous ones for Reader and Acrobat as well as for other client-side attacks. "This is the preferred method of attack for criminals the past couple of years. They will discover vulnerabilities in the software that runs on the end user machine" for processing remote content, he says. "It's used to install some kind of malware that logs keystrokes and records financial transactions, [for example] and sends that information back to the attacker."
And like similar attacks, this one also recruits the victim to its botnet so that it can issue updates of its malware to the machine.
It works like this: the user is sent a socially engineered email with a PDF attachment. When the victim opens the malicious PDF, his machine is pushed a Trojan that then installs the Infostealer family of malware that logs keystrokes, captures screenshots, and sends that information to its controller, Greenbaum says. Symantec has christened the Trojan as Trojan.Pidief.H.
So far, the exploit has been hitting a small number of victims and it appears to be targeted, researchers say. "But it could very easily be added to toolkits. At that point, exploitation would become more widespread," Greenbaum says. So far, it arrives with an urgent email message, some of which is in broken English, indicating the attack comes from a location where English isn't the primary language, he says.
So far, only a handful of antivirus products can detect the exploit, including McAfee's GW Edition, eSafe, NOD32, Symantec, and Kaspersky Lab.
Even once this zero-day gets patched, don't expect the bad guys to give up on Adobe apps. The wildly popular Acrobat Reader is found on most users' machines. "Attackers typically go after software packages that are deployed most widely. It's a business decision to get a better return on their investment," Greenbaum says. "That's part of the reason for the repeated targeting of Adobe product ... everyone has it on their computer, so you're going to have the broadest possible audience."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.