The exploit for a critical unpatched bug in Adobe Reader that's now circulating is "clever" and "impressive," security researchers said this week.
First uncovered on Tuesday by Washington-based researcher Mila Parkour, attackers are using rigged PDF documents that include code to exploit a zero-day vulnerability in the widely used Reader PDF viewer as well as in Acrobat, Adobe's PDF creation software.
[ Also on InfoWorld: Microsoft's takedown of the Waledac botnet hints at possibilities for future antivirus efforts | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The sophisticated exploit bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (date execution prevention), researchers have confirmed.
"It's pretty clever," said Chet Wisniewski, a senior security adviser with software security firm Sophos. "It circumvents protections like ASLR and DEP. Its techniques are certainly out of the ordinary and a lot more sophisticated than the garden variety [PDF] exploit."
The attack, which has been spotted attached to emails touting renowned golf coach and author David Leadbetter, also includes a malicious file that's digitally signed with a valid signature from Missouri-based Vantage Credit Union.
VeriSign has revoked the signature, but the already baked malware will still carry what appears to be a valid digital signature, Wisniewski said.
Vantage Credit Union's website now displays a message saying that users' access to their accounts via Intuit's Quicken and Microsoft's now-discontinued Money are "unavailable until further notice due to circumstances beyond our control," a sign that the financial firm's signature has been revoked.
Other researchers were also taken with the technical skills of the hacker who crafted the exploit and the trend it hinted at.
"So the Adobe 0day is using DEP+ASLR Bypass with a binary that is signed with stolen certificate!" said "Neeraj," who works as a senior security research engineer for Nevis Network, an Indian firm. "That's how future attacks gonna be. Scary!"
Although most researchers have pointed out that the current attacks have likely been aimed at specific individuals or companies -- "targeted," in security parlance -- hackers will probably quickly expand the range of victims and the size of their assaults, Wisniewski said. "Now that the cat's out of the bag, I'd expect to see more," he said.