Adobe Systems plans to release a patch Friday to close an Adobe Reader and Acrobat security hole at the center of an attack campaign on the defense industry.
The patch for CVE-2011-2462 will fix the issue for Adobe Reader and Acrobat 9.x versions on Windows. The bug – which actually affects multiple versions of Reader and Acrobat across Windows, Mac and UNIX – rests in the U3D component of the software programs. If exploited, an attacker could use the bug to execute arbitrary code or cause a denial-of-service condition.
In addition to Reader and Acrobat 9.x on Windows, the bug also exists in Reader and Acrobat 10.1.1 and earlier on Windows and Macs and Reader 9.x through 9.4.6 on UNIX.
“As stated before, because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” blogged Wendy Poland, senior security response program manager at Adobe.
The vulnerability was first reported to Adobe by Lockheed Martin CIRT and the Defense Security Information Exchange. According to Symantec, the malicious PDF used in the attacks drops the Sykipot Trojan when it is opened. The companies attacked by the latest wave of Sykipot include not only defense contractors, but also telecommunications, chemical and energy companies.
“The attackers consistently use targeted emails containing either a link or malicious attachment,” blogged Vikram Thakur principal security response manager at Symantec. “In both cases, the attackers either exploit unpatched application flaws (zero-day exploits) or simply leverage known exploit code in the hopes that the targeted computer is running vulnerable software.”
Researchers at McAfee took a deep-dive look at the Adobe exploit here.