Zero-day Attack in the Wild for Adobe Flash, Reader, and Acrobat
Created: 06 Jun 2010 09:03:35 GMT | Updated: 02 May 2013 20:15:03 GMT
We have confirmed the attacks that exploit the vulnerability (CVE-2010-1297) that Adobe announced on its security advisory are in the wild.
The exploit takes advantage of an unpatched vulnerability in Flash Player, Adobe Reader, and Acrobat, and affects users regardless of whether they use Windows, Macintosh, Solaris, Linux, or UNIX. Adobe has categorized this as 'critical', which is the highest level in its severity rating.
Attacks can take place in various situations; a few are listed below:
- Receiving an email with a malicious PDF attachment.
- Receiving an email with a link to the malicious PDF file or a website with the malicious SWF embedded in malicious HTML code.
- Stumbling across a malicious PDF or SWF file when surfing the web.
We have confirmed that the attack involves Trojan.Pidief.J, which is a PDF file that drops a back door Trojan onto the compromised computer if an affected product is already installed. We have also come across an attack using a malicious SWF file (detected as Trojan Horse) in conjunction with an HTML file (detected as Downloader) to download another malware (detected as Backdoor.Trojan) from the web. (We may update these three detection names once our analysis is complete).
The attacks seem limited at this point. However, other cyber criminals may jump on the bandwagon to take advantage of the vulnerability in the very near future. It's advisable that you visit Adobe's security advisory and spend some time investigating what workarounds would be applicable for your environment until a patch is released.
In the meantime, we are doing further analysis in order to develop heuristic detection(s) for both antivirus and IPS.
Please stay tuned for updates.