Just a short blog post in follow up to the 9bplus and Xecure Lab posts on targeted attacks using the CVE-2012-0754 Flash calling malformed MP4 exploit in PDF. Adobe reports that Reader 10+ sandbox mitigates this threat, and Acrobat Reader 9.5.1 now uses the separate Flash player which was patched in February.
We've received samples of CVE-2012-0754 as early at April 20 2012 used in attacks prior to that date. Adobe's Acrobat Reader 9.5.1 was released April 10, 2012. Prior to April 10, Acrobat Reader 9.5 and earlier used a built in Flash player which was vulnerable to the CVE-2012-0754 exploit which was publicly known since February 15 2012 when it was patched in the Flash player. Attacks using the PDF version of CVE-2012-0754 may have been occurring prior to April 10, though we have no confirmation of this, and could have been successful against Acrobat Reader 9.5 at that time, we suggest that Adobe should have patched Reader for CVE-2012-0754 in February at the same time as Flash player but also applaud them for taking a big step forward to mitigate Flash in PDF threats with the removal of the built-in Flash player in Acrobat with the release of 9.5.1.
PDF Current Threats
Scan a PDF with PDFExaminer