But Shadowserver is not taking credit for the original discovery of this exploit; in fact, its blog post yesterday, it stated it had reason to believe Adobe had already been warned. "We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves...We believe Adobe is aware of this issue and actively working to address it," the group's Steven Adair wrote. "However, we felt it was necessary to release this information to let people know how to mitigate against the attacks as they can be devastating."
The group is crediting security researcher Matt Richard with providing it with a sample of the malicious code, and giving it reason to believe targeted attacks using that code are currently ongoing. Last year, Richard was credited as directing the rapid response team for VeriSign's iDefense laboratories.
VeriSign's stated policy for iDefense says, "With more than 250 security researchers worldwide, VeriSign discovers original vulnerabilities and notifies our customers before making our research public." But while Shadowserver indicates that Adobe was already aware of the problem, iDefense hasn't issued a new bulletin on any subject since two weeks ago.
Richard -- whom Shadowserver's Adair only identifies as "a good friend" -- was not credited as working with iDefense or VeriSign. A citation from his message to the group reads, "Testing of the exploit with XP SP3 using Adobe Reader 8.1.1, 8.1.2, 8.1.3 and 9.0.0 shows that the vulnerability results in code execution on all of them. There may be cases where Adobe Reader crashes without code execution, especially on systems with more physical memory and faster processors. This is likely due to the race condition needed to populate the heap before certain data structures are parsed by Reader."
Adobe's security advisory this morning credits no one with this latest discovery, and tells customers that a patch for these versions of Adobe Reader and Adobe Acrobat will be available by March 11.