First the CollectEmailInfo vulnerability was exploited in the wild, then the util.printf vulnerability, followed by JBIG2, and Foxit. With the level of obfuscation of the exploits often used, distinguishing each vulnerability in the wild has become a problem. An in-the-wild exploit against the Adobe Reader Collab.getIcon vulnerability (described in BID 34169) was discovered on April 5. Adobe has already updated Reader to patch this vulnerability, so please ensure your Reader software is up to date. For more information, see Adobe’s Security Bulletin APSB09-04. A couple of interesting things about this are that the exploit is packaged with the latest Neosploit encoder—an exploit toolkit that some have reported to be defunct, but has since been found to be updated fairly frequently. [1] Another interesting point is that there is no known (at least to me) public exploit for this vulnerability. The Reader/Acrobat exploit being served up targets three vulnerabilities in one PDF: CollectEmailInfo, util.printf, and Collab.getIcon. The exploit uses an iteration of the Neosploit encoder; once decoded it will appear as follows:
As with most current Neosploit variants, the variable names are all pseudo-random. The detection for this attack, in existing Symantec consumer products, will be as HTTP Acrobat Suspicious Executable File Download, although this may be revised in the future.
[1] Although some authors have reported that Neosploit is no more, updated iterations of it have continued to appear on our honeypots with regularity. One such instance of this was discussed in Microsoft Access Snapshot Viewer Exploited in Neosploit Wrapper.