A few days ago, the presence of a vulnerability in Acrobat was disclosed. The source that discovered it is also the same source credited for a few other recent disclosures. Unlike the other cases though, the details about the actual vulnerability were not disclosed.
In an odd turn, many seem to be hung up on why this is being called a Zero Day by gnucitizen.org, when, by definition, an exploit has to exist. Personally, considering the ease at which the vulnerability can be exploited and the "payload" potential of the exploit, I’d rather not wait for an exploit before reacting.
The implications of an exploit of this vulnerability are serious. By "opening" a PDF with the exploit encoded inside, the user is subject to any action desired by the attacking PDF author. In one example, the PDF opened calculator on the local PC. To put this in terms of an attack, "Format C:", or "FTP ftp.exploitsite.com" come to mind. This could make the impact of recent storm worm variants (the storm botnet) seem pretty small. PDFs are widely used. After all, they are portable.
What I’d expect to see if a surge of spam containing exploit pdf code, web sites with embedded pdf code, and the likes. The only saving grace is that the details remain secret.
Regrettably, this vulnerability hasn’t got much attention, probably because of the mystery around the details of the exploit. But you can se a story on ZDnet here. There is also a YouTube video of the exploit (can’t see the details) here.
Interestingly, the gnucitizen.org site is unreachable today. You can see the initial release here.
The National Institute of Standards and Technology (DHS and Cert) have added this vulnerability to the CVE. They point out that this is a pre-advisory based on vague information; but claimed by a reliable researcher. That last part is the basis why I think this is worth mentioning.
Unsure what a Zero Day Exploit is? Click here.