On about April 18th, Symantec's DeepSight honeypots began capturing a new iteration of the Neosploit exploit toolkit. It appears that the pervasive exploit kit has been updated to take advantage of a circa February 2008 vulnerability in Adobe Acrobat Professional and Reader. What makes this attack vector of particular concern is that it will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer. Although the vulnerability has been patched since early February, I suspect that many users have not applied this patch yet. We highly recommend that if you haven’t done so, go and get the latest patched versions of Adobe Acrobat Reader and Professional from here: http://www.adobe.com/support/security/advisories/apsa08-01.html. Symantec has worked proactively with the Adobe PSIRT to validate that this is a known vulnerability and the latest versions of Acrobat Reader and Professional are not affected.



Symantec client IPS-enabled products (for enterprise – SCS/SEP and consumer – NAV/NIS and N360) will prevent this PDF attack as HTTP Malicious Toolkit Download Activity. Other Symantec products will detect it as Trojan.Pidief.C.



It appears that ISC is running a story about a targeted PDF attack using PDFs. It is not clear at this time if these two are related, or if there is a second source of attack PDFs on the loose.

Note: Posted with regards to the co-author of this blog, John Harrison.