In late September, researcher Petko Petkov identified a bug in the wayPortable Document Format (PDF) files are handled in Adobe's Acrobat/Reader that could let a malicious attacker completely compromise your PC.
I mentioned in a blog post at the time that, in trying out another proof-of-concept exploit published by Petkov ? this one for a Windows Media Player (WMP) bug ? my own PC, which I have configured to have ridiculously high security, was compromised in a second. The PDF bug is just as insidious and dangerous.
At that time, Adobe had not yet commented on the PFD flaw, much less patched it.
Well, today, there's a little bit of good news. Adobe has acknowledged the problem is out there and has provided a partial workaround.
But unfortunately, no patch yet.
While he hasn't published the exploit code, Petkov says it's important not to ignore this one:
"The following HIGH Risk vulnerability [in] Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one."
From experiencing how quickly and smoothly his proof-of-concept exploit for the WMP bug was able to prove my security wasn't robust enough, I believe him. (Since Petkov hasn't released the exploit code, there haven't been any attacks in the wild yet but that could just be a matter of time -- he's not the only smart hacker out there.)
So what CAN you do now to protect yourself?
First, according to Adobe's security advisory, if you're running Windows Vista, you have nothing to worry about from this bug. It only leaves you exposed if, like most of us, you're still running Windows XP with Internet Explorer 7.
Adobe's advisory says that the vulnerable releases are Adobe Reader 8.1 and earlier versions, Acrobat Standard, Professional and Elements 8.1 and earlier versions, as well as Acrobat 3D.
While Adobe says the company is hard at work on updates that fix the problem, in the meantime you can disable the software's "mailto:" feature. Adobe has posted instructions for how to do this in its advisory.
Thanks to Ryan Naraine, who pointed the advisory out on his Zero Day blog.
Meanwhile, you haven't heard the last from me for this week. Tomorrow is Microsoft's "Patch Tuesday" ? the second Tuesday of every month when the company releases security fixes for its products. Talk with you then.
