Virus spreading via PDF

Virus writers have created an exploit for an unpatched vulnerability in Adobe Flashplayer, Acrobat and Acrobat reader. The vulnerability exists in these applications on all platforms, Windows, OS X, Linux and Solaris.

The vulnerable products are:

  • Adobe Reader 9.1.2 and earlier 9.x versions
  • Adobe Flash Player and and earlier 9.x and 10.x versions

You can read the alert from Adobe at:

The exploit runs with the privileges of the current user. The known virus is delivered as a PDF file which could be attached to an email or posted on a web page.

OIT has seen an instance of an infected computer sending email with .PDF attachments. The emails had a message saying the attachment was an e-card or an invoice for a recent purchase. Usual warnings apply, if you weren’t expecting an email with an attachment, don’t open the PDF attachment. If you don’t know the sender, don’t open the PDF attachment.

The malicious PDF contains flash content. In the Windows environment, if the malicious PDF is opened with an Adobe product, it will exploit the vulnerability via the flash player .dll called authplay.dll. On a Windows system, it is apparently possible to disable the connection between Acrobat and Flash by renaming that .dll and one in the same directory called rt3d.dll. This is the only workaround at this time. There are alternate PDF viewers that would not be vulnerable.

According to malware analysts, the exploit will work on Windows 9x, NT, 2K, XP, Vista, Server 2000 and Server 2003.

Adobe is working on a patch and says it will be ready for all platforms, but Solaris, on 7/30/09. So until then, use caution when opening that PDF. If you receive a PDF that crashes Acrobat, I’d like to know.

Tim Gurganus
OIT Security