Adobe PDF at Risk From Zero-Day Vulnerability


Users of Adobe Reader and Acrobat PDF documents could be at risk from a new zero-day vulnerability, with the company saying it has gotten reports that the flaw is currently being exploited in the wild.

Adobe (NASDAQ: ADBE) has not yet released a full advisory detailing the security issue, but has issued a brief statement on its security blog.

"Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324)," Adobe's David Lenoe wrote on the Adobe Product Security Incident Response Team (PSIRT) blog. "We are currently investigating this issue and assessing the risk to our customers."

According to security researchers at the Shadowserver Foundation, the new Adobe PDF vulnerability has been circulating the Internet and resulting in exploits since Dec. 11.

The researchers said that the vulnerability is a JavaScript function flaw that could potentially lead to arbitrary code execution or a possible denial of service condition.

"Furthermore, the vulnerable JavaScript is obfuscated inside a zlib stream, making universal detection and intrusion detection signatures much more difficult," Shadowserver researchers warned in a post on their site.

Security analysts pointed out that users could potentially mitigate the new threat by turning off JavaScript, and also by simply observing best practices of only opening up PDFs from trusted sources.

"I could recommend that you don't open any malicious PDFs," Johannes B. Ullrich, a SANS Security researcher, wrote in a blog post. "But it would probably be as useful to go and hide in a cave until all Adobe bugs got fixed."

This isn't the first time Adobe Reader and Acrobat have been targeted this year by attackers, with Adobe warning for zero-day flaws in Reader and Acrobat at least three times so far in 2009.

The first zero-day fix came in March and repaired a vulnerability in how JavaScript parsed a particular type of image stream.

In July, Adobe reported a second zero-day flaw. The third set of zero-day PDF flaws appeared in October, which in turn were fixed as part of a sweeping array of fixes for 29 flaws from Adobe that same month.

Sean Michael Kerner is a senior editor at, covering Linux and open source, application development and networking.