On February 19th, Adobe confirmed reports that its version 9 software of Adobe Acrobat and Adobe Reader were vulnerable to buffer overflows that have allowed some companies to be targeted in spearphishing attacks.

Their announcement said:

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers.

McAffee’s Avert Lab Blog has screenshots of the buffer overflow in action here. They go on to say:

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

As a reminder, the Better Business Bureau phishing scam successfully exploited many large companies last year by sending emails with malicious .PDF attachments to executives of those companies. And since there will not be a patch in place until Mid-March, extra vigilance is required to prevent this exploit from affecting you.

Zero Day exploits don’t typically remain targeted against just a few enterprises for long. Within days we expect this exploit to accompany broader mass phishing attempts. And given the IRS tax season, perhaps malicious .Pdf’s will be seen targeting taxpayers via email.