Update: After analyzing the payload that is downloaded by the in the wild sample provided by @snowfl0w I can report that Sophos detects the payload as Troj/Agent-OOH. Kaspersky is reporting that payloads have been seen that are digitally signed using a legitimate software signing certificate similar to Stuxnet.
Adobe’s Acrobat and Reader products are once again in the spotlight for a new vulnerability disclosed by @snowfl0w at the contagio malware dump blog.
There is one big difference between this vulnerability and others recently patched in Reader. The last few advisories were actually flaws in Adobe Flash and you could disable the ability to render flash in Reader to once again mitigate against the flaws.
Adobe’s advisory does not contain any mitigation steps which implies that none are known to work. They have classified the bug as “critical” and I would be surprised if they did not release an out of band fix for something this dangerous.
To provide you with some context as to how it would look if you were to receive and launch one of these PDFs, I put together a quick YouTube video demonstrating how it works.
The best protection at the moment is to be sure your anti-malware vendor has provided protection against the known samples and be sure you are scanning all incoming email and web content for PDFs exhibiting malicious characteristics. Sophos has published protection for our customers as Troj/PDFJs-ME.
I will post updates regarding patches and other information as it becomes available.