A new critical vulnerability has been discovered in Adobe Reader that can be exploited by malicious content. The vulnerability could crash the reader due to a stack buffer overflow bug, which then potentially allows an attacker to run malicious code on the user's computer. This vulnerability is reported to be widely exploited and the exploit has been added to MetaSploit, therefore the severity is critical:

http://twitter.com/hdmoore/status/23982529312

All 9.3.4 and earlier versions of Adobe Reader are affected including Windows, Macintosh and Unix ones. The vulnerability is relying on a buffer boundary checking issue in the font parsing code in the cooltype.dll file. Adobe is currently evaluating the schedule for an update.

The sample has been detected by many antivirus products:

http://www.virustotal.com/file-scan/report.html?id=d55aa45223606db795d29ab9e341c1c703e5a2e26bd98402779f52b6c2e9da2b-1284031469

This sample checks the version of Adobe Reader and sprays different shellcodes for different versions. If it is not satisfied with the version number then it displays an alert: “Please update your PDF viewer software.”.

The exploit code in the vulnerable PDF file: 

The shellcode then downloads a fake antivirus onto the user's computer:

http://www.virustotal.com/file-scan/report.html?id=d6d089fcbd886363cfbc23c237cab8d99d5033eff9f6a4a3eeb95e32f5b80113-1283836305

The security advisory from Adobe:

http://www.adobe.com/support/security/advisories/apsa10-02.html

We have proved that ACE is protecting against the samples we have seen so far.