DigitMemo.com

A zero-day PDF vulnerability in Adobe’s Acrobat Reader has come to light that can lead to Windows boxes getting taken over completely and invisibly, according to a security researcher.

“All it takes is to open a [maliciously rigged] PDF document or stumble across a page which embeds one,” said researcher Petko D. Petkov, aka pdp, in a blog posting on Sept. 20.

This PDF vulnerability is even worse than the QuickTime flaw, Petkov said. Mozilla provided a Firefox workaround for the QuickTime flaw earlier the week of Sept. 17, but it can still be used to compromise Internet Explorer, as security researcher Thor Larholm demonstrated in a posting on Sept. 19. Apple hasn’t yet released any details on the status of a QuickTime fix.

For its part, Symantec, based in Cupertino, Calif., on Sept. 20 warned customers using its DeepSight Alert Services that Adobe Acrobat is subject to “an unspecified vulnerability when handling malicious PDF files,” allowing remote users to take over targeted machines.

The scenario is that an attacker rigs a PDF file designed to exploit the flaw. He or she distributes it via e-mail or through other means, or hosts it on a Web page. When a user opens the rigged PDF file with a vulnerable application, the user’s machine can be loaded with malware that makes it open to a takeover.

Petkov’s advice is to keep away from PDF files, local or remote. He said other viewers besides Adobe’s Acrobat Reader might be vulnerable as well. He has verified the PDF issue on Windows XP Service Pack 2 with the latest Adobe Reader 8.1, although previous versions are also affected, he said.