McAfee warns of unpatched vulnerability in Adobe Reader

An unpatched vulnerability in every version of Adobe Reader reveals where and when a PDF document is opened, says McAfee

McAfee researchers have warned of an unpatched vulnerability in every version of Adobe Reader that reveals where and when a PDF document is opened.

Although the vulnerability does not allow remote code execution, the researchers found that the vulnerability is being exploited in the wild, according to a blog post by McAfee’s Haifei Li.

“Our investigation shows that the samples were made and delivered by an 'email tracking service' provider,” he wrote. Haifei Li said it is unknown if the vulnerability has been exploited for illegal purposes or carrying out cyber attacks. 

While researchers do not consider it a serious problem, they said the issue is a security vulnerability and have reported it to Adobe.

Li said McAfee would also not reveal key details of the vulnerability to protect Adobe Reader users until a patch is available.

“Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, internet service provider, or even the victim’s computing routine,” he wrote, noting that collecting information about targets is often the first step in an advanced persistent attack (APT).

“Our analysis suggests more information could be collected by calling various PDF JavaScript APIs (application programming interfaces). For example, the document’s location on the system could be obtained by calling the JavaScript ‘this.path’ value,” wrote Li.

The case highlights the point that privacy protection is a part of security and demonstrates the need for constant exploration of methods of detection. Exploits of this vulnerability will not trigger memory corruption or code execution alerts.

“Some of the most advanced detection technologies in the industry failed to detect them,” wrote Li.

Until Adobe creates a patch, McAfee says Reader users should consider disabling JavaScript in Reader.

Read more on Security policy and user awareness