Symantec confirms zero-day PDF exploit

Posted by Aharon Etengoff

Symantec has confirmed the existence of a zero-day "Xmas exploit" that targets both Adobe Acrobat and Reader. The exploit is reportedly triggered by malicious PDF attachments which are opened by unsuspecting recipients.

?"When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. [We] detect the file as Trojan.Pidief.H," explained Symantec.?

The exploit has also been confirmed by ShadowServer.

"We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad," the organization stated in an official post.

"[Although] the number of attacks are limited and most likely targeted in nature, expect the exploit to become more wide spread [over] the next few weeks. We can tell you that this vulnerability is actually in a JavaScript
function within Adobe Acrobat [Reader] itself."

"Furthermore the
vulnerable JavaScript is obfuscated inside a zlib stream making
universal detection and intrusion detection signatures much more
difficult."

See Also
Adobe gets parked in a Gartner quadrant
?Adobe upgrades Flash player with improved HD support
?Adobe sneaks out mega security patch
?Adobe brings Flash to future phones