Security vendors say a recently exposed vulnerability in Adobe's Acrobat and Reader applications is being exploited by a Russian phishing network spreading a fairly old Trojan virus.
Adobe released a patch for the flaw Monday after confirming a report by U.K.-based researcher Petko Petkov that Microsoft Windows XP users were vulnerable to system takeovers via malware spread through malicious PDF files opened in the vendor's latest Acrobat and Reader versions.
For now, at least, security vendors say the damage has been fairly minimal.
"We're not seeing this as being exploited in the wild very much at all. The PDFs we have seen seem to be spam originating from a Russian phishing network. What they're spreading is a Trojan phisher called Snifula, which is pretty old and not a new threat," said James Heimbuck, head of definition development at Boulder, Colo.-based Webroot.
Heimbuck said the Webroot team hadn't seen any spam relays being created through the Adobe vulnerability. In addition to phishing for private data, a common practice of malware spreaders is to create networks of compromised computers, or botnets, to send large amounts unsolicited e-mail unbeknownst to those computers' owners.
"The exploit works by disabling the Windows native firewall, then using FTP to download a file and execute it. The exploit is new, but the actual content of what's being downloaded and run is old news," said Webroot's Justin Bertman, manager of threat research development.
Though the vulnerability involved Windows XP specifically, Bertman blamed Adobe for the flaw rather than Microsoft.
"It's targeting Windows because of the architecture it sits on. It's not Windows fault. It's Adobe's fault for leaving a window open. Microsoft doesn't take the black eye on this one," he said.
Criminals are increasingly able to find vulnerabilities in the most popular operating systems and applications, said David Mayer, senior product manager at recent Cisco acquisition IronPort.
"It's getting more and more dangerous and the criminals are acting more and more quickly. I work primarily on the spam side and spammers are using fairly ubiquitous applications to compromise systems. Everybody's got Adobe, so it's really dangerous," Mayer said.
Ivan Arce wasn't surprised by the news of the Adobe flaw, saying "it was coming and it was predictable." The CTO of Boston-based vendor Core Security advised vulnerable parties to install some form of endpoint security if they hadn't already.
This latest episode of playing catch-up with the cybercriminals was all the more reason to take security seriously, said Powersolution.com's David Dadian.
"We haven't run across [the Adobe exploit], knock wood. And the reason for that is that our infrastructures are multi-layered," said the CEO of the Ho-Ho-Kus, N.J.-based solution provider.
"We have the e-mail layer protected. There's a second layer that is a combination of Fortinet products. The third is on the network, where we run a Symantec layer. Sometimes there's an additional Sendio layer, which is a challenge-response filter that catches all spam."
