Malicious PDFs exploit zero-day vulnerability and Adobe Reader

Small number of targeted attacks keeps the threat level low for the time being

Malicious code has been found hidden in portable document format (PDF) files that exploits a previously unknown buffer overflow vulnerability in several versions of the Adobe Reader and Acrobat, researchers at Symantec Corp. have reported.

Symantec received samples of the malware Feb. 12, and Adobe was alerted when the vulnerability was identified, said Kevin Haley, director of Symantec Security Response. Adobe has given the issue a critical severity rating, but the security company has given it a low threat level because few attacks have been identified in the wild.

“Given the small number of attacks we are seeing, they are targeted attacks,” Haley said. The attacks have come as infected PDF files in e-mail attachments mailed to high-level officials in government agencies and large corporations. The malicious payload being downloaded can monitor desktop activity, log keystrokes and allow remote access to the compromised machine.

“The first attack we saw was in Japan,” Haley said. A very few have been found in the United States so far, and they also have been seen in China, Taiwan and the United Kingdom. “It’s not widespread. We don’t want to overhype it.”

Symantec has released antivirus signatures that identify the exploit code as Trojan.Pidief.E. Adobe said it expects to release updates for version 9 of Adobe Reader and Acrobat by March 11, with updates for version 8 to follow soon after, and version 7 bringing up the rear.

“In the meantime, Adobe is in contact with antivirus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers,” Adobe said on its online security bulletin. “A security bulletin will be published on as soon as product updates are available.”

“The vulnerability is caused by an error in parsing particular structures within the PDF format,” Symantec reported in its security blog. “Once the malicious document is opened it will trigger the vulnerability. The JavaScript payload then sprays the heap with the malicious shellcode in an attempt to increase the chances of a successful exploit. If the exploit is successful, a malicious binary will be dropped and executed on the victim’s system.”

Because attacks so far have been targeted, there are no common e-mail subject lines or file names to look out for. The malicious PDF installs a backdoor Trojan on the compromised computer, which downloads an open-source toolkit known as GHOST that contains programs such as a “screen-scraper” to view the victim’s desktop and a keystroke logger. The goal appears to be to gather sensitive information from executives' computers.

Neither the source of the exploit nor the servers it uses have been discovered, Haley said.

“It’s hard to say where the attacks come from,” he said. “It is very difficult to trace these things back.”

But researchers examining samples of the malicious JavaScript code used in the PDFs said they appear to come from the same source.

Until the fixes are released, users are warned to use common sense and caution in opening PDF attachments and to keep antivirus definitions updated. Symantec also recommends disabling JavaScript in Adobe Reader. Enabling Data Execution Prevention in Adobe Rader also will help.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected