Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):

In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm

While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:

http://www.adobe.com/support/security/advisories/apsa09-01.html