Hackers have been exploiting a critical bug in Adobe Reader, the popular PDF-viewing software, for at least nine days, researchers said Friday, but a patch may not be ready for another three weeks.
'We reported this to Adobe on Feb. 12,' said Kevin Haley, a director in Symantec Corp.'s security response group. 'That was the same day that we had a sample of the exploit.'
Attacks have been spotted in Asia, primarily in Japan, said Haley, as well as in a few other countries. But their small number led him to characterize them as 'targeted,' meaning the victims had been specially selected.
'But this [bug] is not hard to exploit,' he added, indicating that Symantec expects the attacks to spread.
So does Andrew Storms, director of security operations at nCircle Network Security Inc. 'If the history of Adobe Reader vulnerabilities shows us anything, it's probably just a number of days before this takes off,' Storms said.
In a security advisory released Thursday, Adobe acknowledged the bug and the ongoing attacks, and said that both Reader and Acrobat, an advanced PDF-creation and edit application, are vulnerable. Versions 7, 8 and 9 of both programs, and on all platforms, contain the flaw, the company confirmed. Adobe Reader, by far the more popular of the two applications, is available for Windows, Mac OS X and Linux.
Adobe plans to patch Reader 9 and Acrobat 9 -- the most current versions -- by March 11, and will then follow with fixes for Reader/Acrobat 8 and Reader/Acrobat 7, in that order. It did not spell out a timetable for updates to Versions 7 and 8, however.
In the meantime, both Haley and Storms expect hackers to take advantage of the bug, possibly by integrating new attack code into the multistrike exploit kits that are frequently used by cybercriminals to launch attacks against users who are duped into visiting malicious Web sites. 'There's no reason to think that that won't happen,' he said. 'Reader is a very popular application.'
The in-the-wild attacks trigger the bug with a Trojan horse that Symantec has pegged 'Pidief.e,' which then installs several additional components to open a backdoor on the compromised computer. That backdoor can later be used to inject additional malware into the machine.
Attacks could be initiated by spam messages that trick users into clicking through to a malicious site, or by packing exploit code in a file attachment.
Storms had no better advice, but wondered if that would be enough.