Modernizing Authentication — What It Takes to Transform Secure Access
While the vulnerability doesn't enable code execution, it does allow the attacker to view where and when the PDF was opened. While Adobe Reader will usually ask for permission before sending such data, no permission is required in this case.
While this isn't a particularly serious issue, McAfee's Haifei Li notes that it could be leveraged to initiate a targeted attack. "An APT attack usually consists of several sophisticated steps," Li writes. "The first step is often collecting information from the victim; this issue opens the door. Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim’s computing routine."