A working exploit was added to the open source Metasploit penetration testing kit Thursday and revised earlier Friday to run reliably on Windows Vista and Windows 7 systems, and to launch from a browser, said HD Moore, the chief security officer for Rapid7 and the creator of Metasploit.
The Metasploit exploit was written by researcher Joshua Drake, who noted Thursday that the current in-the-wild exploit can compromise a Windows PC if its user only previews the rigged PDF.
Adobe warned Reader and Acrobat users Tuesday of the vulnerability, but has not said when it would patch the bug, nor has it offered any advice to stymie attacks.
Another work-around suggested by the SANS Institute is to install the gPDF browser add-on, which opens any Web-hosted PDF in Google Docs' viewer rather than call on the Adobe Reader browser plug-in. gPDF is available in versions for Firefox and Chrome, and it can also be run on Safari and Opera using available Greasemonkey scripts.
Wisniewski also said that there was evidence that the hacker had been working on the exploit for almost a year. "The DLL that it drops was [digitally] signed in 2009, so that part of it at least isn't brand new," he said. "That doesn't mean the exploit itself was available back then, but is another indication of a targeted attack."
He compared the Reader zero-day exploit with the Stuxnet worm, which caused concern in July when it was discovered attacking industrial control systems at large manufacturing and utility companies. Symantec traced Stuxnet back to June 2009, with attacks likely beginning the following month, when hackers apparently stole digital certificate keys from a pair of Taiwanese software firms, then used them to sign two versions of the worm.
"This makes two [attacks] that have used valid certificates," Wisniewski said. "I'm starting to wonder if [hackers] aren't using other malware that's specifically targeting certificates and their keys."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about security in Computerworld's Security Topic Center.