Security firms warned last week that online criminals have begun targeting victims' computers using crafted PDF files that attack a previously unknown flaw in Adobe's Acrobat document software.
The attack — which appears to have been first noticed by Symantec, the owner of SecurityFocus — does not appear to be widespread, the security firm stated in an advisory. Adobe confirmed the vulnerability and committed to releasing a fix for the issue by March 11.
"It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations — for example, locating the CEOs email address on the company website and sending a malicious PDF in the hope that their malicious payload will run," Symantec said in its advisory. "Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat."
Because of their ubiquity, Adobe's Acrobat and Flash software have become popular targets of security researchers, who try to find vulnerabilities to help secure software, and online criminals, who try to exploit the vulnerabilities. Last year, for example, Adobe released a software update to shutter a flaw in its Flash software that allowed attackers to overlay user interface elements over a Web page. The attack, known as clickjacking, lets the attacker lead a victim to believe they are performing one action, when they are actually doing something completely different.
The latest vulnerability in Acrobat is caused by the incorrect handling of certain elements of the PDF file format, Symantec stated in its advisory.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos