This hasn’t been the best of weeks for Windows administrators. First came news that Jonathan Sarba of the GoodFellas Security Research Team had discovered a flaw in the MFC42 and MFC71 libraries offered natively in Windows.
Now, researcher Petko D. Petkov — discoverer of the QuickTime attack vector Mozilla moved to block this week with a Firefox security update — is warning of a serious flaw in Adobe Acrobat/Reader in which .pdf files can be used to compromise a Windows machine. Petkov says in his blog that this can be done “Completely!!! Invisibly and unwillingly!!! All it takes is to open a .pdf document or stumble across a page which embeds one.”
He adds in the blog posting: “The issue is quite critical given the fact that .pdf documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs (proof-of-concept code). You have to take my word for it. The POCs will be released when an update is available.”
The folks at the SANS Internet Storm Center warned about the flaw on its Web site, but said they have no information about any exploits.