Researchers on Wednesday said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.
The situation could affect tons of users since Flash exists in all popular browsers, is available in PDF files, and is largely operating system-independent.
Any software that uses Flash could be vulnerable to the attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a Web security services provider.
In a post on its Web site, Adobe said it "is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information".
"The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique," Patrick Fitzgerald writes on a Symantec Security blog post.
"Typically an attacker would entice a user to visit a malicious Web site or send a malicious PDF via e-mail," he writes. "Once the unsuspecting user visits the Web site or opens the PDF this exploit will allow further malware to be dropped onto the victim's machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse."
It appears the exploit was first developed about two weeks ago, Royal said. The bug itself has been around since December 2008.
The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.
US-CERT offered information about workarounds on its Web site:
• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.
This article was first published as a blog post on CNET News.
Play video
There are currently no comments for this post.