Anti-malware company F-Secure found the attack, embedded in a PDF document purporting to come from the US Air Force. "The document talks about a real conference to be held in Las Vegas in March", said Mikko Hyppönen, chief research officer at F-Secure.
The PDF document advertises the Mission Planning Users Conference (MPUC 2010), taking place in March. When opened, the PDF exploits the CVE-2009-4234 vulnerability, which lies in the doc.media.newPlayer function within Adobe Reader.
While Adobe patched this vulnerability on January 12, it has not yet switched on the silent auto update functionality for Acrobat or Reader's user base. This means that anyone not expressly agreeing to implement a patch will still be vulnerable to this attack.
According to F-Secure's analysis, the exploit drops a file called Updater.exe, which connects to an IP address in Taiwan, and bypasses any local web proxies in the process.
"While the 'Aurora' attacks against Google and others happened in December 2009, this happened just last week," Hyppönen said.
Late last week, iDefense backed down on its claim that Operation Aurora used vulnerabilities in Adobe Reader. "Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities," the company had said.
Nevertheless, targeted attacks using this vulnerability do appear to be surfacing, and the sophisticated research suggests that the perpetrators know what they are doing, and are targeting individuals in the defense community.