Attackers are targeting new, unpatched flaws in both Adobe Acrobat and Adobe Reader. The vulnerabilities exist in the most recent versions of the applications and are under active attack, according to Adobe.
Adobe disclosed the vulnerabilities on Monday, saying that the company’s security staff had received reports of the new attacks and were investigating.
This afternoon, Adobe received reports of a vulnerability in Adobe
Reader and Acrobat 9.2 and earlier versions being exploited in the wild
(CVE-2009-4324). We are currently investigating this issue and
assessing the risk to our customers.
In a report on Monday, The Shadowserver Foundation said that the group had been seeing attacks against the Adobe flaws since at least Dec. 11. The flaws affect Adobe Reader and Acrobat 9.2 and earlier versions. Shadowserver said it had tested the vulnerabilities and found that versions 8.x and 9.x are vulnerable.
The vulnerability is a JavaScript flaw in Adobe Reader and Acrobat, according to Shadowserver, and the exploit code has been disclosed publicly.
We can tell you that this exploit is in the wild and is actively being
used by attackers and has been in the wild since at least December 11,
2009. However, the number of attacks are limited and most likely
targeted in nature. Expect the exploit to become more wide spread in
the next few weeks and unfortunately potentially become fully public
within the same timeframe. We are fully aware of all the details
related to the exploit but do not plan to publish them…With that said we can tell you that this vulnerability is actually in a
JavaScript function within Adobe Acrobat [Reader] itself. Furthermore
the vulnerable JavaScript is obfuscated inside a zlib stream making
universal detection and intrusion detection signatures much more
difficult.
Disabling JavaScript in Adobe Reader and Acrobat can help mitigate the effects of the vulnerability.