French security research company VUPEN confirmed that an Adobe Reader and Acrobat vulnerability reported as a zero-day earlier today, can be exploited to execute arbitrary code.
According to the reputed vulnerability intelligence vendor, the flaw is caused by a heap corruption error in the EScript.api plugin, which can occur when processing a function called printSeps().
VUPEN writes in its advisory
that the vulnerability "could be exploited by attackers to crash an affected application or potentially compromise a vulnerable system by tricking a user into opening a specially crafted PDF file
The bug affects Adobe Reader and Acrobat 9.4 and successful exploitation was confirmed on both Windows 7 and Windows XP SP3.
A proof-of-concept PDF exploit targeting this flaw was sent
yesterday to the Full Disclosure mailing list by a anonymous reporter, with the comment "a mystery inside an enigma."
However, it seems that the vulnerability has been known in some circles for almost a year. Details about it were published
on a Russian-language blog called "[Security Solutions] Research Lab," in November, 2009.
The blog post describes the denial of service condition, but doesn't mention arbitrary code execution. It refers to printSeps as an "undocumented method."
This news can't come at a worse time for Adobe, who is already already dealing with an actively exploited Flash Player zero-day
The vulnerability was discovered last week and also affects the Flash interpreter in Adobe Reader and Acrobat. In fact, the only in-the-wild attack exploiting it so far, has used malicious SWF content embedded into PDF documents.
The company was planning to release security updates for the two products during the week of November 15, however, this unexpected development might interfere with the patch schedule.
Adobe's Product Security Incident Response Team (PSIRT) has yet to comment on the new vulnerability, but given VUPEN's confirmation, an official advisory is imminent.