Adobe's ever-present Acrobat/PDF Reader software is prone to a nasty code execution vulnerability that could expose Windows users to PC takeover attacks.
Details of the flaw, which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 are being kept under wraps until Adobe releases a fix.
Petko D. Petkov, the researcher who discovered this issue, is not mincing words about the risk severity:
Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.
The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.
Petkov gave me a peek at a proof-of-concept exploit that worked as advertised. On my Windows XP box with a fully patched version of Adobe Reader, opening a rigged PDF file launched calc.exe without warning.
The exploit did not work during my tests on Windows Vista.