Adobe has confirmed there are two previously undocumented flaws in the latest updates of its PDF products Adobe Reader and Acrobat that hackers were exploiting with a Turkish visa form.
The two vulnerabilities (CVE-2013-0640, CVE-2013-0641) affect Adobe Reader and Acrobat XI (11.0.01), X (10.1.5) and 9.5.3 and earlier for Windows and Mac, Adobe said in an advisory on Wednesday.
Adobe said the targeted attacks were designed to trick Windows users into clicking on emailed malicious PDF attachments, however the flaws affect the products for OS X systems as well. The company is working on a fix, it said.
At present there are few clues to who the attackers are. However, details provided to ZDNet from FireEye, the security firm that discovered the Adobe Reader and Acrobat exploits this week, suggest it is a European campaign aimed at would-be travellers to Turkey — a popular holiday spot for Europeans seeking winter sun.
A FireEye spokesperson told ZDNet on Thursday that the lure was PDF file labeled "Visaform Turkey.pdf", which is required by all foreign travellers to the country.
FireEye has released an updated technical report here, detailing how the exploit circumvents some of the anti-exploitation technologies, such as sandboxing, that Adobe has been building into Reader and Acrobat X and XI.
It appears that security hardening measures Adobe introduced through "Protected View" in Reader and Acrobat XI to prevent such exploits will stop the exploit being used. Protected View was one of the main features Adobe touted at the product's release last year, however Adobe said in its advisory that users will need to manually enable it for the protective measure to actually work.
"Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method," the software company added.