Don't open that PDF: There's an Adobe Reader zero-day on the loose

After Java and Flash, now PDF Reader is under attack, with one security firm warning Reader users to avoid PDFs.
Written by Liam Tung, Contributing Writer

Security researchers are warning users not to open PDFs from unknown sources in Adobe Reader after finding a PDF zero-day being exploited in the wild.

Researchers at security firm FireEye claimed on Tuesday they had seen the attack PDFs successfully exploit the latest versions of Adobe's PDF Reader for Mac, Linux and Windows.

"Today, we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett noted in a blog post.

The researchers were referring to the latest updates for Adobe Reader XI 11.0.01 for Windows and Macintosh, Adobe Reader X (10.1.5) for Windows and Macintosh, and Adobe Reader 9.5.3 for Windows, Macintosh and Linux, which Adobe released in January to fix 27 critical vulnerabilities in older versions.

"Upon successful exploitation, [the exploit] will drop two DLLs [dynamic link libraries]. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain," FireEye said.

FireEye says it has submitted the sample to Adobe's security team and, without a new patch available from the company, is warning users not to open any unknown PDF files until it receives confirmation.

Adobe has confirmed it is looking into the reports. "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild. We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information. Please continue monitoring the Adobe PSIRT blog for the latest information," it said in a blog post on Tuesday.

The reported Reader zero-days come hot on the heels of two Flash Player zero-days that were being exploited by attackers in spear-phishing campaigns, and for which Adobe issued out of band fixes last week. 

Those attacks relied on SWF Flash files embedded in Microsoft Word documents, according to analyses by FireEye and fellow security firm Alien Vault. Another attack aimed at Mac users hosted malicious Flash files on a website.

Adobe yesterday updated Flash Player with a new Click to Play anti spear-phishing feature to prevent embedded Flash files from automatically executing when users open documents in Office 2008 and earlier. The move brings protected mode features already available in Office 2010, which asks users for permission to run Flash embedded within documents.

Editorial standards