Security hole in Adobe Reader and Acrobat

acrobat_logoAdobe is currently investigating a new security hole in Reader and Acrobat. Cybercriminals are currently spamming emails with prepared documents which lead to an infection of the computer with malware.

The PDF document abuses a buffer overflow in a new place within the Adobe programs. There is a JavaScript object included in the PDF which checks the Reader Version – the exploit works with Adobe Reader starting at version 8. The code it injects downloads malware which it stores in the file “winver32.exe” in the Windows directory. This file drops 3 further files which Avira detects as BDS/Ientlcp.A, TR/Agent.faa and TR/Agent.HO.

Avira users are protected from the threat. Our antimalware solutions detect the malicious PDF files generically without updated detections as HTML/Malicious.PDF.Gen. The downloaded malware gets detected as TR/Drop.Agent.DT with VDF version 7.10.01.243.

Anyhow users are best advised to not open PDF files they receive unexpectedly until Adobe provides Updates for Reader and Acrobat.

Dirk Knop
Technical Editor