On Friday, a "Zero Day" vulerability was disclosed for Adobe Acrobat and Adobe Reader. A zero day is a vulerability where an exploit is made public before there is a "patch" from the manufacturer.
In their advisory, Adobe said they were not going to patch the vulerability until mid-March for Acrobat/Reader 9, and "soon after" that for version 8, followed by an update for version 7 after that. This is rather troubling considering the vulerability is actively being exploited on the internet, including in targeted emails to company executives.
Adobe is relying on anti-virus vendors to catch the attacks. They will publish new security bulleting at http://www.adobe.com/support/security once the product updates are available, assuming that consumers will check there frequently for their respective updates.
Symantec is already detecting the first wave as Trojan.Pidief (different versions). Kaspersky appears to be detecting these by the variants Exploit.Win32.Pidief. TrendMicro, who first received a sample on 2/11/09 added first definitions to the pattern on 2/20/09.
In the meantime, users are counselled to turn off javascript in Acrobat/Reader, as task not likely to happen.
Of large concern is that Acrobat/Reader configures Internet Explorer to open PDF files without user intervention. US-CERT recommends that this be disabled using the following registry edit. (save the following test to a .reg file and double click the file).
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
I’ve got a concern about that recommendation in that I see several other keys in th "AcroExch" range that may need the editflags values.
Considering the potential of the vulerability, my suggestion is that you keep your AV signatures up to date; very up to date. The first Adobe patch is over 2 weeks away.
OSG: Bits, Bytes and Packets 