Adobe has yet to patch a critical zero-day vulnerability in Acrobat and Reader applications which is in the wild and being exploited by malicious types using malformed PDF files. Now, more than two weeks after the exploit was reported by The Shadowserver Foundation and before Adobe can get the patch distributed (it is due on March 11th I am led to believe) the situation has got worse. A lot worse in fact. It would appear that the advice to disable JavaScript in order to avoid being exposed to the risk is no longer valid after a security consultant demonstrated that there was no clicking required, no need to open the malformed file, for the bug to be exploited and code executed. That said, the current in the wild exploits do seem to all require JavaScript so keeping it disabled is good advice. Unfortunately, now that the new data has been published the bad guys are likely to rush to exploit it before Adobe get that patch out.

Security specialist Didier Stevens has shown how a file can store a malicious stream object in meta data rather than the pages of a document, and how that meta data can be read by Windows Explorer through a shell extension which generates the required mouseover tooltips to execute the malicious code.

Stevens explains that when you install Adobe Acrobat Reader a Column Handler Shell Extension is installed which is "a special program (a COM object) that will provide Windows Explorer with additional data to display (in extra columns) for the file types the column handler supports. The PDF column handler adds a few extra columns, like the Title. When a PDF document is listed in a Windows Explorer windows, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info..."