The security vulnerability, published yesterday as CVE-2009-3459, affects versions of Adobe Reader and Acrobat as early as 7.0. Discovered by Chia-Ching Fang and the Information and Communication Security Technology Service Center, the vulnerability allows an attacker to execute remote code on a victim's machine by supplying a malicious PDF file. Failed attempts will will likely result in denial of service conditions, according to a report on the flaw by SecurityFocus.
"You can 'clean' PDF documents by first converting them into another format (like Postscript) and then back into PDF", said Johannes Ullrich, of the SANS Technology Institute, who added that the vulnerability does not require JavaScript to work. "However, this is not 100% certain to remove the exploit and you may infect the machine that does the conversion as it will likely still use the vulnerable libraries to convert the document."
Adobe announced yesterday that it would release a fix for the security problem as part of its forthcoming quarterly security update, scheduled for next Wednesday, October 13. Until then, customers are advised to turn on the Data Execution Prevention feature in Windows Vista, which monitors programs to make sure that they use system memory safely.
This is not the first flaw that Adobe Reader users have had to contend with. In February, the company reported that another security flaw in the program enabled remote code execution if booby-trapped PDF files were opened. Again, that security bug was quickly exploited by malware writers, and the attacks were again set to be targeted. The victims were government, large enterprise and financial services organisations, according to Symantec, which documented the attack.