According to Didier Stevens, the security issue is not a flaw as such, but takes advantage of a misuse of the Adobe '/Launch' function – which is part of the PDF feature set.
Stevens says that Adobe is aware of the issue and is planning an update to counter the problem but, in the meantime, he is advising users to turn off the `/Launch' feature in Adobe Acrobat and Reader applications.
Though complex, Infosecurity notes that the attack vector – now it is out in the open – could be exploited by cybercriminals using obfuscated code, but the issue would be how to get the malware code onto the user's PC in the first place.
Using a trojan hidden in a message link would be one approach and, because of this, Trusteer, the browser security and fraud prevention specialist, says that it poses a potentially serious threat to organisations and individuals.
Mickey Boodaei, the firm's CEO, says that the demonstrated attack methodology could allow criminals to embed a malicious executable file inside a simple PDF file. When the user opens the PDF, the malicious executable runs.
"Whilst Acrobat Reader normally display a warning that an executable inside a PDF file is being launched, Stevens appears to have found a way to modify the alert and fool users into approving the action", he said.
"Our research team were quickly able to replicate Didier's findings and there is every reason to believe this exploit will be added to the multi-exploit Adobe hacker toolkits in use by cybercriminals", he added.
Like Stevens, Trusteer is advising all users to disable the function of running PDF-embedded attachments within Adobe's software.
This can be achieved, he says, quite easily from the settings option within the software or, as Adobe has advised in a security blog, by a direct Registry setting change.
Boodaei went on to say that he anticipates that cybercriminals and hackers will try to exploit this structural Adobe issue using social engineering techniques, which lure internet users into a false sense of feeling safe.
Social engineering, he explained, is becoming an increasingly important tool used by criminals.
"Many security solutions such as antivirus and personal firewalls rely on Internet users to make the right choice", he said. "They present technical messages that are hard to understand and expect users to decide what to do with them. Acrobat Reader works similarly by expecting Internet users to understand the security implications of running an embedded file", he added.
"Stevens' attack makes it harder for users to make the right choice as it allows criminals to tamper with the message that Acrobat presents and use social engineering techniques to convince users to take the wrong choice."