On Wednesday, researchers at Symantec announced that they have uncovered attacks where malicious Adobe Acrobat PDF files are exploiting a vulnerability in Flash and dropping Trojans onto computers.
The situation could affect a large number of users, since Flash exists in all popular browsers, is available in PDF files and is largely operating system-independent.
Any software that uses Flash could be vulnerable to an attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a web security services provider.
In a post on its website, Adobe said it "is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."
"The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique," wrote Patrick Fitzgerald on a Symantec security blog post.
"Typically an attacker would entice a user to visit a malicious website or send a malicious PDF via email," he continued. "Once the unsuspecting user visits the website or opens the PDF, this exploit will allow further malware to be dropped onto the victim's machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse."
It appears the exploit was first developed two weeks ago, Royal said. The bug itself has been around since December 2008.
The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.
US-Cert has offered information about workarounds on its website:
- Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files:
"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and
"%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
- Disable Flash Player or selectively enable Flash content as described in the 'Securing Your Web Browser' document.
Talkback
This post has been removed by a moderator.