Adobe has once again been the focus on line criminal activity after a new vulnerability in the PDF format emerged.
Although the security flaw is due to be patched in an update set for imminent release, experts have reported that it has already been exploited by hackers in order to seize control of an infected machine after initiating a system crash.
It was half way through December 2009 that the vulnerability was first discovered, although Adobe decided to withhold a software update until the scheduled release date, leaving millions of users around the world potentially at risk.
Brad Arkin, who is head of security at Adobe, said that to release a patch earlier would have compromised the timing of the imminent security update, which Adobe releases every three months.
The threat is widely believed to have become a reality amongst members of the data protection industry, with a blog post on a mainstream vendor’s website claiming to have found examples of a modified PDF file allowing hackers to compromise the host’s PC online. The flaw affects both the Adobe Acrobat and Reader programs.
When the malicious PDF is executed it will dump a file named BKDR_POISON.UC onto the host computer. This file will then open up Internet Explorer, access a third party website controlled by the hackers and allow them to modify the infected PC in any way that they may choose.
The logistical problems of patching security vulnerabilities are approached in various ways by different companies. Adobe’s approach is not entirely unusual, or indeed deserving of excessive criticism, as the flaw had been discovered but not exploited on a large scale. In the face of serious problems, the firm may well have reacted more swiftly.