A new critical arbitrary code execution vulnerability affecting all versions of Adobe Reader and Acrobat is currently being exploited to infect the computers of unsuspecting users. After reports of ongoing attacks have surfaced, Adobe confirmed the flaw and offered temporary mitigation solutions.

This year has been very bad for Adobe in terms of security incidents. Critical vulnerabilities that lead to full system compromise have plagued some of its most widespread products, such as Adobe Flash Player or Adobe Reader. Many of these led to zero-day attacks, or in other words, attacks that exploited the flaws before the company had time to patch them.

The latest attacks are performed through maliciously crafted PDF files and target a vulnerable JavaScript method called Doc.media.newPlayer(). "We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature," the Shadowserver Foundation, an anti-cybercrime outfit, announced on Monday.

Secunia, a reputed vulnerability management company, describes the vulnerability as memory corruption issue and rates it as extremely critical. "The vulnerability is caused due to an unspecified error in the implementation of the 'Doc.media.newPlayer()' JavaScript method. This can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file," it explains.

After investigating the reports, Adobe's Product Security Incident Response Team (PSIRT) confirmed yesterday that "a critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier for Windows, Macintosh and UNIX operating systems." According to the published Security Advisory, the company plans to release a patch by January 12, 2010.

This means that attackers could have a window of opportunity of over three weeks to freely infect users. In this case, attacks are very likely to increase in number in the immediate future. In the meantime, Adobe has offered some temporary mitigation solutions.

Users of Adobe Reader and Acrobat versions 9.2 or 8.1.7 should be able to employ a special security feature called the "JavaScript Blacklist Framework." This can be used to block certain JavaScript API calls, like Doc.media.newPlayer() from being invoked. A complete list of instructions on how to enforce this on Windows, Mac and UNIX-based systems has been published.

People using the 9.2 or 8.1.7 versions of the products on Windows XP SP3, Windows Vista SP1, or Windows 7 can reduce the risk of being compromised by keeping DEP (Data Execution Prevention) enabled. For users who can't activate the JavaScript Blacklist Framework for various reasons, the only option is to entirely disable JavaScript inside the programs.

Earlier this year, Adobe launched a program aimed at strengthening the security of Adobe Reader and Acrobat. As part of the program introduced a quarterly update cycle aligned to Microsoft's Patch Tuesday. In addition, a review of critical code areas was started to identify vulnerabilities in-house.