New Adobe Zero-Day Vulnerability Discovered

There is another security headache for Adobe, after hackers are reportedly exploiting a new vulnerability in its Reader and Acrobat software, despite the company already working on a fix for another zero-day bug exposed earlier this month.

According to Adobe’s Product Security Incident Response Team blog, the vulnerability impacts Adobe Reader and Acrobat 9.2, and is being exploited in the wild.

“We are currently investigating this issue and assessing the risk to our customers,” the company’s security team said in a blog post.

Adobe began hearing reports of the attack Monday afternoon, but it has been in the wild for nearly a week. The malicious Adobe Acrobat PDF file arrives as an email attachment, and executes when opened. According to Symantec, which detects the malware as Trojan.Pidief.H, the rate of infection at the moment is low.

However researchers with the Shadowserver Foundation, a volunteer security watchdog group, said that could change in the near future.

“We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least 11 December, 2009 ,” according to the Shadowserver blog. “However, the number of attacks (is) limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe.”

Both Shadowserver and the SANS Institute propose that users disable JavaScript as a defence if they are concerned about the vulnerability.

In addition to the latest bug, Adobe still has another zero-day to clear off its plate as well. Proof-of-concept exploit code has been circulating the web for a vulnerability in Adobe Illustrator CS4 and CS3 that can be exploited to execute code via a malicious Encapsulated PostScript (.eps) file in Illustrator.

Adobe has said it plans to fix the issue in Illustrator by 8 January.