While iDefense did not identify rogue PDFs as the malformed documents, its researchers claimed that the attachments exploited a "zero-day" -- a vulnerability that had not yet been patched -- in a "one of the major document types," a definition that certainly fits Adobe's PDF format.
Only yesterday did Adobe patch a zero-day in Reader. The bug had been publicly known since mid-December, and used surreptitiously by hackers for at least several weeks before that.
Adobe denied any link between the two events -- its patching of Reader and the announcement that it had been attacked. The security update had been on the schedule for months, said Lips, since Adobe now releases Reader patches quarterly.
Mikko Hypponen, the chief research officer of Helsinki-based F-Secure, disagreed. Although F-Secure has not been directly involved in investigating the attacks, Hypponen said he has talked with other researchers who were. "This was an attack launched via a convincing e-mail with an exploit-ridden PDF attachment," Hypponen said today in a telephone interview. He also said that those researchers, who he would not identify, told him that the PDF documents were exploiting the Reader zero-day patched on Tuesday.
"These kinds of targeted attacks using PDFs have been going on for quite a while," said Hypponen. "There's nothing new technically in any of these attacks, including the ones against Google and Adobe."
Hypponen was on the money in that regard. Adobe, for example, patched four Reader zero-day vulnerabilities last year, while some statistics show Adobe exploits are among the most prevalent on the Web.
Hypponen also took a stab at whether the Chinese government was directly responsible for the attacks, something that some have argued by reading between the lines of Google's announcement. "One theory is that the government, maybe the PLA (People's Liberation Army), is behind this. The other is that it's the usual idiots, local Chinese hackers who are encouraged and perhaps supported by authorities."
Hypponen laid his bet on the latter. "Indirect evidence supports the second theory," he said, citing the properties traits of malicious documents that typically show the creator's name as something like "shadowhunt" or "darkknight."
"Those are hacker names, not [the name of] a sergeant in the PLA," he said. "But we don't have a smoking gun."
Adobe denied that a Reader vulnerability was the basis of the attacks, or that malicious PDFs had been used to hack the company's own network. "In terms of the attack vector, this is still being determined as part of our ongoing investigation," Lips said. "At this time, we have no evidence to suggest that Adobe Reader was an attack vector."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer , send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .