A brand new, highly sophisticated "zero-day" exploit for Adobe Acrobat and Adobe Reader that lets criminals infect computers with malicious software has been spotted in the wild.
According to FireEye, the Milpitas, Calif., computer-security company that uncovered the flaw, the exploit affects Acrobat and Reader versions 11.0.1 and earlier. Adobe has confirmed that.
A FireEye researcher told Kaspersky Lab's Threatpost blog that the exploit comes in a PDF pretending to be an international travel visa application.
The exploit is noteworthy for its ability to circumvent security features that Adobe rolled out with Acrobat and Reader X, or 10, in November 2010, especially the "sandbox" meant to prevent exploits from affecting other processes.
It also bypasses newer security features, such as the address space layout randomization (ASLR) that Adobe introduced only this past October, and seems to tailor its attack depending on which version of Acrobat or Reader it encounters.
Acrobat and Reader are used to create and read portable document format (PDF) files. Adobe creates plug-ins that let Web browsers read PDFs, and those plug-ins are presumably also affected by this new exploit.
Browsers containing Adobe plug-ins could be vulnerable to drive-by downloads using this exploit. Infections could happen just by visiting a website rigged with malware.
Adobe is working on a patch, but in the meantime the company advises Windows users to upgrade to Adobe Acrobat/Reader 11 and turning on a feature called "Protected View."
"To enable this setting, choose the 'Files from potentially unsafe locations' option under the Edit > Preferences > Security (Enhanced) menu," said an Adobe security advisory updated last night (Feb. 13).
Mac users can open PDFs using Preview instead; Linux users can use Google's Chrome browser, which has its own PDF reader.
Once on board, the exploit places two Windows dynamic-link-library (DLL) files onto the machine.
"The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks," FireEye explained on its blog Tuesday (Feb. 12). "The second DLL in turn drops the callback component, which talks to a remote domain."
Russian security firm Kaspersky Lab said this attack was the first successful sandbox workaround for Reader X and subsequent versions.
"We can confirm the existence of a malicious PDF in the wild that's successfully able to break out of Adobe Reader's sandbox," Roel Schouwenberg, senior security researcher at Kaspersky Lab, told Threatpost. "We've seen successful exploitation on a machine running Windows 7x64 and Adobe Reader 11.0.1."
Interestingly, FireEye said in a follow-up blog posting yesterday that much of the JavaScript used by the exploit to attack Acrobat and Reader was in Italian.
Kaspersky's SecureList blog on Tuesday posted a report detailing how an exploit targeting a different Adobe product, Flash Player, and discovered and patched just last week, was used in police spyware created and marketed by an Italian firm called HackingTeam.
FireEye is warning users of Acrobat, Reader and Adobe browser plug-ins not to open PDFs until the problem is fixed.