A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer version 8.  The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites, such as the recently compromised Department of Labor website, which was subsequently used in a water hole attack. Malicious payloads delivered from this compromise were confirmed by Microsoft to exploit the new vulnerability, designated CVE-2013-1347.

The vulnerability itself lies in the way that Internet Explorer accesses an object that has been deleted or not properly allocated. This vulnerability has now been listed by Metasploit, which means it is available publicly, and we anticipate that we'll soon see this Internet Explorer vulnerability used in broader attacks.

More information about the vulnerability can be found in Microsoft Advisory 2847140.

How Does Websense Protect You?

Websense customers are protected with ACE™, our Advanced Classification Engine.

ACE is able to protect from all known samples (at a URL level and with real-time analytics).  We have also examined the sample code from Metasploit and added protection for that and any subsequent variations.

If we correlate this attack to the 7 Stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:

• Stage 2 (Lure) - the website involved in the water hole attack
• Stage 3 (Redirect) - the websites that take the user to the delivery of the exploit code
• Stage 4 (Exploit Kit) - we have real-time detection of the exploit code
• Stage 6 (Call Home) - we offer protection from the websites used as a Command & Control
• Should the malware author's attack be sucessful, our customer's would be protected from Stage 7 (Data Theft) through the use of our data loss prevention tools.

As a member of the Microsoft Active Protection Program (MAPP), we are also working with Microsoft to monitor this situation.

[Update]

Thursday, May 9, 2013:

Microsoft have released a  "Fix it" solution for CVE-2013-1347), however keep in mind that a Fix it solution isn't going to be as strong as a full patch solution.

Were you aware that Java is increasingly being viewed as a security risk? Of course you were — recent high-profile attacks have firmly established the trend, so we're not going to do yet another roundup here.

Instead, let's drill in and try to understand the core problem. With so many vulnerabilities, it's hard to keep browsers up to date with the latest patched versions — especially because Java is updated independently from the browser. How hard is it? We decided to check.

We recently added Java version detection to our Advanced Classification Engine (ACE™) and pumped it into the Websense ThreatSeeker® Network to get real-time telemetry about which versions of Java are actively being used across tens of millions of endpoints. Here's what we found (you may need to click on the graph to see all the detail):

Figure 1: Global distribution of Java Runtime Environment versions based on active browser usage

As you can see, Java versions are all over the map. At the time of this writing, the latest Java Runtime Environment is 1.7.17, but only about five percent of the overall mix are using it. Most versions are months and even years out of date. How does this translate into the attack space?  

Exploit kits are a very common tool for distribution of many Java-based threats. From the billions of daily web requests being classified through our network, here is the breakdown of the active browser requests that are exploitable and which exploit kits have incorporated attacks for them.

Java Vulnerability  Vulnerable Versions**  Vulnerable   Exploit Kits With Live Exploits

CVE-2013-1493            1.7.15, 1.6.41                  93.77%         Cool 

CVE-2013-0431            1.7.11, 1.6.38                  83.87%         Cool

CVE-2012-5076            1.7.07, 1.6.35                  74.06%         Cool, Gong Da, MiniDuke

CVE-2012-4681            1.7.06, 1.6.34                  71.54%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-1723            1.7.04, 1.6.32                  67.72%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-0507            1.7.02, 1.6.30                  59.51%         Cool, Blackhole 2.0, RedKit, CritXPack, Gong Da

** All prior JRE versions below those listed are also vulnerable

It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers. Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities. And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered.

How do you stop the onslaught if the patches aren't keeping up? Given the complexity and dynamism of exploit kits and their updates, exploit signatures do not suffice. Our protection model against new Java exploits is to use our analytics and real-time telemetry to proactively intercept new instances at every step of their attack strategy. Most prominently, ACE covers the exploit kit/exploit phase with a fine-grained knowledge of the expressible threats from all of the major kits, including not just the vulnerabilities, but also the obfuscation techniques, redirection techniques, and re-packaging of their dropper files. Here are just a few other ways we interrupt the malware kill chain to make it harder for the bad guys to drive right through this sizable hole in current IT infrastructure:

• Real-time intelligence to block lures, phishing, and other forms of social engineering coming across web, email, and mobile platforms
• Real-time inbound intelligence to identify known or suspicious malware destinations and compromised sites 
• Real-time outbound intelligence to identify command and control communication, bot networks, dynamic DNS requests, and fingerprinted data headed to the wrong people or places
• Identifying malicious droppers both statically and behaviorally (via Websense ThreatScope™) 

It's clearly not just the zero-day attacks that should be getting all of the attention.

First, welcome to 2013 and we trust that you had a happy holiday period. As is to be expected, holidays or not, there is no rest for the wicked (be that attacker or defender) and therefore we kick off our 2013 blog with details of CVE-2012-4792, an Internet Explorer zero-day vulnerability.

The Websense® ThreatSeeker® Network has already detected instances of this vulnerability being exploited in the wild, unsurprising given that the exploit is publicly available as a Metasploit module, and therefore it is likely that attacks will continue to gain traction.

Websense customers are protected from this threat by Websense ACE (Advanced Classification Engine).

The vulnerability, as recently announced in Microsoft Security Advisory 2794220, affects users of Microsoft Internet Explorer versions 6, 7, and 8 and could allow attackers to remotely execute code on vulnerable machines by simply having the victim visit a malicious website.

As seen countless times in the past, typical tactics for enticing victims to visit these malicious sites often include tricking them into clicking links in fake emails, or simply compromising legitimate websites to serve malicious payloads to their unsuspecting visitors.

This particular vulnerability is caused by how Internet Explorer accesses an object in memory that has been deleted or improperly allocated. Exploitation can then result in memory corruption, which in turn could allow an attacker's own code to be executed within the context of the current user, or as if it was being run by that user.

At this time, Microsoft has not released a patch in order to address this vulnerability. However it has provided an easy one-click 'Fix It' solution. Internet Explorer versions 9 and 10 are listed as not being vulnerable.

Websense Security Labs™ are continuing to monitor this situation and, as a member of the Microsoft Active Protection Program (MAPP), are working with Microsoft in order to provide the best protection to our customers.

Update:

Microsoft has issued an Out Of Band update for CVE-2012-4792, which you can read about here.

A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6, 7, 8, and 9. The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites.

The vulnerability itself lies in the way that Internet Explorer accesses an object that has been deleted or not properly allocated. This vulnerability has now been listed by Metasploit, which means it is available publicly, and we anticipate that we'll soon see this Internet Explorer vulnerability used in broader attacks. More information about the vulnerability can be found in this Microsoft Advisory 2757760.

We have released updates to the real-time analytics of ACE™, our Advanced Classification Engine, which means that Websense customers are protected. As a member of the Microsoft Active Protection Program (MAPP), we are also working with Microsoft to monitor this situation.

UPDATE:

On Friday September 21, 2012, Microsoft released an out-of-band patch MS12-063 to address this vulnerability. The above vulnerability, documented as CVE-2012-4969 was addressed along with 4 other vulnerabilities affecting Internet Explorer.  We recommend that you apply this patch to your environment as soon as possible.

Over the weekend, information started appearing that there was a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. We have analyzed samples from the attack and can confirm that Websense customers using products that have our Advanced Classification Engine (ACE) have been protected against this zero-day attack by real-time analytics dating back to early 2009.

We have confirmed that the exploit doesn't work on version 1.6.x of Java, but it does work on 1.7.0.5 and 1.7.0.6 (latest available versions). David at Errata Security has tried and verified that the same exploit works just as well on Linux and OS X including Mountain Lion 10.8.1. That's right folks, yet another cross-platform vulnerability in Java, and with the increasing amount of Mac malware that we're seeing, we wouldn't be surprised if this starts being used against Mac users shortly. 

Regardless of which browser and operating system that you use, make sure you disable or better yet, uninstall Java, unless you really need it. Brian Krebs has instructions on how to disable Java in browsers both on Windows and Mac. There's already a Metasploit module for the new vulnerability, which increases the risk of it being applied in attacks against a larger amount of targets.

The obfuscated JavaScript above will download a file called applet.jar (VirusTotal report), which, in turn, uses the vulnerability to download the payload hi.exe (VirusTotal report) that it saves as update.exe and executes on the system. The downloaded EXE file is a variant of Poison Ivy that tries to connect to a known malicious host in Singapore. See our ThreatScope report for more information about the file.

This month, Microsoft issued 5 security bulletins covering 15 vulnerabilities in Excel and Windows. These updates are considered important rather than critical, as by the time of the patch there was no malicious code exploiting the vulnerabilities in the wild. Adobe also released a security bulletin patching 13 vulnerabilities in Acrobat Reader. Websense® Security Labs highly recommends applying the updates in order to avoid cyber criminals who may use these security holes for their malicious activities.

Arguably the most important bulletin is MS11-072, which targets five different vulnerabilities in Microsoft Office. An attacker could use any of these to execute arbitrary code on the computer with the same access rights as the user. This is a focus for any security researcher as hackers are constantly looking for newer ways to distribute their badware. Such issues are probably getting more and more headlines as Adobe's sandboxing system and regular security patches seem to be paying off, meaning an up-to-date system is much less prone to successful exploits by vulnerabilities in PDFs.

This does not mean, of course, that we will see no more vulnerabilities in Acrobat Reader. This Tuesday Adobe Issued a security bulletin too, fixing 13 vulnerability issues in their product. Each of the vulnerabilities could allow an attacker to execute a code on the host computer allowing them to take full control of it. This patch is rated as critical, therefore it is strongly recommended to apply it.

Also worth mentioning is that many companies have updated their DigiNotar certificates - Microsoft, Adobe, and even Mozilla Firefox issued the updates. Firefox even released an additional security patch targeting this issue. Please check that you have applied the latest updates so you are fully protected.

Is your organization using the latest Firefox 6 or Internet Explorer 9? Which one did you find more secure? Give us your thoughts in the comments.

Vulnerabilities patched by Microsoft on 13 September 2011:

MS11-070 WINS Local Elevation of Privilege Vulnerability (CVE-2011-1984)

MS11-071 Windows Components Insecure Library Loading Vulnerability (CVE-2011-1991)

MS11-072 Excel Use after Free WriteAV Vulnerability (CVE-2011-1986)

MS11-072 Excel Out of Bounds Array Indexing Vulnerability (CVE-2011-1987)

MS11-072 Excel Heap Corruption Vulnerability (CVE-2011-1988)

MS11-072 Excel Conditional Expression Parsing Vulnerability (CVE-2011-1989)

MS11-072 Excel Out of Bounds Array Indexing Vulnerability (CVE-2011-1990)

MS11-073 Office Component Insecure Library Loading Vulnerability (CVE-2011-1980)

MS11-073 Office Uninitialized Object Pointer Vulnerability (CVE-2011-1982)

MS11-074 XSS in SharePoint Calendar Vulnerability (CVE-2011-0653)

MS11-074 HTML Sanitization Vulnerability (CVE-2011-1252)

MS11-074 Editform Script Injection Vulnerability (CVE-2011-1890)

MS11-074 Contact Details Reflected XSS Vulnerability (CVE-2011-1891)

MS11-074 SharePoint Remote File Disclosure Vulnerability (CVE-2011-1892)

MS11-074 SharePoint XSS Vulnerability (CVE-2011-1893)

Vulnerabilities patched by Adobe on 13 September 2011:

Local privilege-escalation vulnerability (Adobe Reader X (10.x) on Windows only) (CVE-2011-1353).

Security bypass vulnerability that could lead to code execution (CVE-2011-2431).

Buffer overflow vulnerability in the U3D TIFF Resource that could lead to code execution (CVE-2011-2432).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2433).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2434).

Buffer overflow vulnerability that could lead to code execution (CVE-2011-2435).

Heap overflow vulnerability in the Adobe image parsing library that could lead to code execution (CVE-2011-2436).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2437).

Stack overflow vulnerabilities in the Adobe image parsing library that could lead to code execution (CVE-2011-2438).

Memory leakage condition vulnerability that could lead to code execution (CVE-2011-2439).

Use-after-free vulnerability that could lead to code execution (CVE-2011-2440).

Stack overflow vulnerabilities in the CoolType.dll library that could lead to code execution (CVE-2011-2441).

Logic error vulnerability that could lead to code execution (CVE-2011-2442).

Websense Security Labs and our ThreatSeeker Network are constantly monitoring for these threats occurring in the wild.

With the popularity of the WordPress blogging platform, security researchers here at Websense® Security Labs ™ are sure to sit up and take note of any reported zero-day threats affecting the platform itself or the plugins used by blog masters.

Recently, we saw a post by Mark Maunder of technology company, Feedjit, where he noticed a compromise occurring due to a WordPress plugin. The danger was this was a zero-day issue affecting a popular image re-sizing tool often used within WordPress.  That was on August 1.

Sure enough, just one week after this initial warning, our ThreatSeeker® Network began to see code injected into WordPress Web sites.  At first we saw the injected domain name hxxp://superpuperdomain.com/ injected at the foot of compromised WordPress blogs.  This code appears to have been delivering advertisements to end users via redirects to search engines.

Last Friday, we saw a slight adaptation within the injected code. This time, browsers to compromised sites led to the domain hxxp://superpuperdomain2.com/, which seemingly was a placeholder for more nefarious malicious activity. Websense customers are protected with ACE, our Advanced Classification Engine.

Interestingly, over the weekend, we saw the number of injections leading to the first URL decrease as the use of the second URL ramped up on August 12, as the chart below shows:

This course of events is fairly typical in the life of a zero-day vulnerability. As the issue becomes known, developers rush to fix the vulnerability. In the meantime, malware authors seek to launch attacks on vulnerable websites and deliver variations of attack code to bypass security products.  In this case, we saw peaks of 10,000 WordPress-running Web sites infected with the code.

The research team over at Sucuri Security also noticed the same over the weekend. Their blog is here.

If you are running WordPress on your blog and want to find out more about TimThumb and how to get the latest version, you should take a look at the TimThumb Project page.

Earlier this week Adobe released security updates for several of their products and now the CVE-2011-2110 vulnerability in Flash Player is actively being used in drive-by and spear-phishing attacks. Websense customers are protected from this scam by ACE, our Advanced Classification Engine.

The vulnerability is triggered when a website is viewed in a browser that has the Adobe Flash Player plugin installed by a simple command that loads a malicious SWF file, as can be seen in this sample code as seen by the Websense ThreatSeeker® Network:

Technical details

We are still analyzing the vulnerability and how the exploit works but here's what we know. The exploit samples we've seen so far use heap information leakage, so that it doesn't have to spray the heap. Once the vulnerability is triggered, the transfer of execution from legitimate code to malicious code takes place when the stack pointer is replaced with EAX.

Once the stack has been compromised, it carries out the ROP portion of the attack to allocate an executable memory page for the second stage of the shellcode.

Once the shellcode has executed, it will try to download an encrypted binary file that's decrypted by an embedded ActionScript. The decrypted file is saved in the %TEMP% folder on the computer and then executed. Here's a VirusTotal link to one binary we saw used by one of the exploit files, but each exploit downloads a different file from a different server.

We also found an interesting debug string in one of the SWF files we looked at, which is a greeting to Rising, a Chinese antivirus company.

Below is a list of URLs where we've seen the exploit being hosted.

As always, it's crucial that you install the latest version of Adobe Flash Player as soon as possible if you haven't done so already. The vulnerable versions are any version older than 10.3.181.26. If you're unsure which version of Adobe Flash Player you have installed, you can find out by going to this link hosted at Adobe.

Our friends over at Shadowserver has posted some information about this vulnerability on their blog.

(Technical analysis done by Victor Chin)

System administrators and security experts are focusing on Patch Tuesday every month (also known as Microsoft Black Tuesday or MS Tuesday). This time Microsoft patched many important vulnerabilities, but have they fixed all currently known zero days? Let's find out.

This time, on February 8th, Microsoft released 12 security bulletins fixing various vulnerabilities, including three critical ones. Possibly the most important is the 0-day found recently in the Graphics Rendering Engine (GRE) and another 0-day that affects the Cascading Style Sheet (CSS) handler in Internet Explorer. The software giant also fixed a critical vulnerability in their OpenType Compact Font Format (CFF) driver. 

A further 9 important bulletins were also included in this update, therefore it is highly recommended that users update all servers and workstations to avoid becoming a victim of an online crime.

Some of the vulnerabilities included in this Tuesday Patch can be remotely exploited, while others need local access to the computer by the attacker. As the cyber criminal does not need to physically meet the victim for a remote exploit, a user is more vulnerable to this type of attack. Websense ThreatSeeker Network detects thousands of compromised Web sites every day, leading to one of these malicious sites which then exploits unpatched vulnerabilities and gains full access to the unaware user's computer.  Websense Security Gateway and Websense Hosted Services are protecting customers against this type of attack; however, it is very good practice to keep servers and workstations up to date.

The bulletins and vulnerabilities in detail:  

Three critical vulnerabilities have been patched:

• MS11-003: Cumulative update which fixes four vulnerabilities in Internet Explorer. These vulnerabilities could allow an attacker to run any code on a computer without the user's consent while browsing a malicious or compromised Web site. The four vulnerabilities include:
  • CVE-2010-3971 - CSS Memory Corruption Vulnerability (0-day)
  • CVE-2011-0035 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0036 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0038 - Internet Explorer Insecure Library Loading Vulnerability

• MS11-006: Fixes a full disclosed critical vulnerability in Graphics Rendering Engine (GRE) in many Windows versions, including Windows XP, Server, and Vista. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing a specifically-crafted thumbnail image. See this blog for further details. The following vulnerability has been patched:
  • CVE-2010-3970 - Windows Shell Graphics Processing Overrun Vulnerability (0-day)

• MS11-007: Security update for a non-disclosed vulnerability in the Compact Font Format (CFF), which affects Windows versions, including Windows XP, Server, and Windows 7. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing content which includes a specifically-crafted OpenType font. The following vulnerability has been patched:
  • CVE-2011-0033 - OpenType Font Encoded Character Vulnerability

Nine non-critical, but important security patches:

• MS11-004: This bulletin patches a vulnerability in Microsoft Internet Information Services (IIS) FTP Service, which could allow an attacker to execute a code on the FTP server using a malicious FTP command. Since FTP Service is not installed by default on IIS, this update was categorized as "Important" only. The following vulnerability has been patched:
  • CVE-2010-3972 - IIS FTP Service Heap Buffer Overrun Vulnerability (0-day)

• MS11-005: This is a security update for the vulnerability found in Active Directory. The vulnerability could allow a cyber criminal to attack an Active Directory server causing Denial of Service, however, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical.
  • CVE-2011-0040 - Active Directory SPN Validation Vulnerability

• MS11-008: This bulletin resolves two non-disclosed vulnerabilities in Microsoft Visio. The vulnerability could allow an attacker to execute arbitrary code on the computer while the user is viewing a specifically crafted Visio file. The following vulnerabilities have been patched:
  • CVE-2011-0092 - Visio Object Memory Corruption Vulnerability
  • CVE-2011-0093 - Visio Data Type Memory Corruption Vulnerability

• MS11-009: This one fixes a non-disclosed vulnerability in the JScript and VBScript Scripting Engines. The vulnerability could allow an attacker to gather information from the user's computer while the user is visiting a malicious Web site. A typical trick to get a user to visit one of these Web sites is sending a spam or phishing e-mail with the link. The following vulnerability has been patched:
  • CVE-2011-0031 - Scripting Engines Information Disclosure Vulnerability

•  MS11-010: Another non-disclosed vulnerability which affects the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003. This vulnerability could allow a criminal an Elevation of Privilege type of attack on a local computer by retrieving sensitive logon information from the user while they are logging on and off. Doing this, an attacker could gain privileges from other users including the administrator. The following vulnerability has been patched:
• CVE-2011-0030 - CSRSS Elevation of Privilege Vulnerability

•  MS11-011: This is a cumulative update correcting two different vulnerabilities. Both of them could allow a criminal an Elevation of Privilege type of attack on a local computer by running a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2010-4398 - Driver Improper Interaction with Windows Kernel Vulnerability
  • CVE-2011-0045 - Windows Kernel Integer Truncation Vulnerability

• MS11-012: This cumulative update fixes another Elevation of Privilege type of vulnerability, where the attacker could gain privileges from other users including the administrator. For this the attacker needs to be able to log on to the computer and run a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2011-0086 - Win32k Improper User Input Validation Vulnerability
  • CVE-2011-0087 - Win32k Insufficient User Input Validation Vulnerability
  • CVE-2011-0088 - Win32k Window Class Pointer Confusion Vulnerability
  • CVE-2011-0089 - Win32k Window Class Improper Pointer Validation Vulnerability
  • CVE-2011-0090 - Win32k Memory Corruption Vulnerability

• MS11-013: This bulletin patches Windows Kerberos.  The vulnerability could allow a cyber criminal to attack and forge service tickets in Kerberos server, gaining privileges from other users including the administrator. However, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical. The following vulnerabilities have been patched:
  • CVE-2011-0043 - Kerberos Unkeyed Checksum Vulnerability
  • CVE-2011-0091 - Kerberos Spoofing Vulnerability

• MS11-014: This non-disclosed vulnerability is a yet another Elevation of Privilege type, that affects the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003. The vulnerability could allow an attack on a local computer by running a specifically-crafted application on it. For this the attacker first needs valid credentials to be able to log on to the computer and run applications. The following vulnerability has been patched:
  • CVE-2011-0039 - LSASS Length Validation Vulnerability

As we have seen a couple of times in previous MS Tuesday bulletins, once again we have a very important security patch set. It contains many critical and high severity fixes, resolving many vulnerabilities used by ongoing attacks actively. WebsenseLabs therefore highly recommends applying the patches as soon as you can to improve immunity against these kinds of strikes.

A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability.

Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics.

Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue.

In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded.

We will update this blog post with any interesting developments.

Update 09-Nov-2010:

The vulnerability is now registered as CVE-2010-4091 on mitre.org. Also Adobe mentions the issue in the security advisory as APSA10-05. There is still no proof if this vulnerability was exploited in the wild.