Attack Preys on New Adobe Acrobat Vulnerability

Adobe Systems is warning that a JavaScript vulnerability in its Reader and Acrobat applications can enable attackers to take over their victims’ computers — and that it’s already seeing evidence that the flaw is being exploited.

Government agencies and large businesses are at particular risk from an attack that uses the vulnerability, according to Kevin Haley, director of Symantec Security Response, which is working with Adobe (NASDAQ: ADBE) to address the problem.

Haley said the heightened concern over the flaw — known as Adobe Reader PDF File Handling Remote Code Execution Vulnerability — is a result of the fact that Acrobat and Reader are both in wide use across a number of different platforms and because neither is generally thought of as a potential danger.

“These are incredibly popular applications, so it’s not something people are looking for vulnerabilities in,” Haley told InternetNews.com.

Adobe pledged on its Web site that the flaw would be closed by March 11, through updates for the current Version 9 of both Adobe Reader and Acrobat. Updates for earlier versions of each will be issued later, it said.

Haley said enterprises and government agencies can configure their firewalls to protect against Pidief.E. Individual users can disable JavaScript for Adobe Reader, and Haley said they should install Adobe’s patches as immediately as they are available.

The news marks the second recent time that a security vulnerability in a popular Adobe application has sparked concern. Adobe Flash, for instance, was at the heart of recent attacks through social networks that sent messages directing viewers to a Flash video containing a malware.

Last month, Adobe released a set of critical patches to address potentially troublesome JavaScript security flaws in Flash Player 9 and Adobe Reader and Acrobat.

Brad Arkin, Adobe’s director for product security and privacy, told InternetNews.com that the company has several projects underway to enhance the security of its products.

“Protecting our end users and the security of our products is a top priority,” Arkin said.

Two pieces of malware

The latest attack does its dirty work using a two-pronged attack known in the security industry as a belt-and-suspenders attack.

First, a Trojan called Pidief.E exploits the vulnerability to drop a second piece of malware on victims’ computers. This second virus then performs keystroke-logging and screen-scraping — in essence, taking regular snapshots of what’s on the user’s desktop — and sends the information gathered over the Internet to a host machine.

Haley said the second piece of malware is based on an open source toolkit known as Gh0st. “We have a generic signature that can catch this and a lot of other garden-variety malware,” he added.

He added that toolkits like Gh0st, which is believed to have originated in China, are designed to enable would-be hackers create screen scrapers, keystroke loggers and remote access Trojans even if they have very little programming knowledge.

Such hackers are known as script kiddies, and security experts have speculated that the authors of toolkits like Gh0st create them to encourage script kiddies to distract the security community from chasing down more serious criminals.

In addition to Symantec (NASDAQ: SYMC), Adobe is also working to address the situation by teaming up with other antivirus vendors, including McAfee (NYSE: MFE), Arkin said.