According to Adobe, this vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system . Adobe categorizes this as a critical issue and recommends that users update their virus definitions and exercise caution when opening files from untrusted sources.

"Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009," Adobe said in its security advisory. "Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow."

Several Attack Variations

In the meantime, Adobe said it is in contact with antivirus vendors, including McAfee and Symantec. According to the Shadowserver Foundation, there are several different variations of the attack, and it's only a matter of time before the vulnerability ends up in every exploit pack on the Internet. Zero-day attacks are the preferred choice of cybercriminals because victims are less able to defend against them.

"At the turn of 2009, malicious PDF documents were discovered to be exploiting a zero-day vulnerability affecting Adobe Reader 8.x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location," said McAfee's Geok Meng Ong. "The attacks, found in the field, use the infamous 'HeapSpray' method via JavaScript to achieve control of code execution."

When successful, the attack installs a backdoor for remote control and monitoring of infected systems. While the distribution of this exploit so far appears to be targeted, new variants are expected as more information is made public, Ong said. As with the Conficker experience, Ong noted the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners.

A JavaScript Payload

Symantec says it has received several PDF files that actively exploit a vulnerability in Adobe Reader. Symantec said the vulnerability is caused by an error in parsing particular structures within the PDF format. Once the malicious document is opened, it will trigger the vulnerability.

The JavaScript payload then sprays the heap with malicious code in an attempt to increase the chances of a successful exploit. If the exploit is successful, a malicious binary will be dropped and executed on the victim's system.

"We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers," said Kevin Haley, director of Symantec Security Response. "This exploit is currently detected heuristically as Bloodhound.PDF.6 by our products. We have noticed an increase in submissions of similar PDFs using this exploit. So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability's use in the wild."