Update on Adobe Acrobat and Reader Zero-Day Attack

More news is emerging about the zero-day attack on Adobe Acrobat and Reader revealed by the company last night.The main news comes from the Shadowserver Foundation which claims to have examined the attack. They confirm that the attack is a new vulnerability and not patched, that it affects versions 8 and 9 of the Adobe products (and possibly 7, which they haven't tested), that it has been in the wild since at least December 11, and they call it "very bad." Though they aren't revealing details on the vulnerability, they say that it is in a JavaScript function in Adobe's implementation. They add that the exploit is hidden inside a zlib stream (zlib is an open source compression library) which complicates the detection of it by security products. Finally, they speculate that DEP protection may mitigate against the attack, but haven't tested this.Shadowserver calls strongly on users to disable JavaScript in Acrobat and Reader. This is a good idea for most users, but for others it's not a realistic option. Many corporate applications use JavaScript in PDFs for important functions like forms processing and it's even used by Google Docs as part of their printing support.The Shadowserver report lists 5 anti-malware engines that detect the threat: McAfee-GW-Edition (not necessarily McAfee Desktop or Mail Server Edition), eSafe, NOD32, AntiVir, and Kaspersky. A separate (continue reading...)