On Tuesday, FireEye reported, “we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1.” It gave little further information, commenting only “we have been working with Adobe and have jointly agreed to refrain from posting the technical details of the zero-day at this time.”
Adobe responded rapidly with an advisory on Wednesday. It warns that the vulnerabilities affect Reader and Acrobat versions 11, 10 and 9; could cause the application to crash and allow the attacker to take control of the system; and that “these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.”
The advisory suggests Windows users can protect themselves “by enabling Protected View. To enable this setting, choose the ‘Files from potentially unsafe locations’ option under the Edit > Preferences > Security (Enhanced) menu;” but makes no mention of Mac users even that platform can also be affected. Best advice is simply not to open any unexpected PDF files, and – since Adobe says it shares information with the AV industry – to make sure that AV software is up to date at all times.
Coinciding with the Adobe advisory, FireEye has now published further details on the exploit’s shellcode without yet sharing the more technical details of the vulnerabilities. If these reports are confirmed, suggests Ross Barrett, senior manager of security engineering at Rapid7, this particular exploit is remarkable as “the first known to bypass the latest sandbox and protection schemes built into Adobe’s Reader. However it also affects Reader 9 and 10, so older versions without the sandbox protection are also vulnerable.”
Researcher Claudio Guarnieri, also from Rapid7, adds, “Both the origin and nature of the malware being distributed seems to be unclear, but it's likely to unfold yet another targeted campaign of sophisticated attacks. While only seen in targeted espionage intrusions so far, users should be very careful and handle unknown PDF documents with suspicion while waiting for Adobe to complete its investigation and release a patch.”