Computerworld reports that Adobe and Foxit Software are looking into attacks that use a new tactic that embeds attack code in modified PDF documents.
Attacks on PDF readers are nothing new. However, Belgium security researcher Didier Stevens has demonstrated an attack that does not require an underlying vulnerability in either program to hijack a machine; attackers need only to trick users into opening the PDF document.
Stevens says Abobe can't patch this:
Patching Adobe Reader isn't possible ... [as] I'm not exploiting a vulnerability, just being creative with the PDF language specs.
Adobe has not committed to making a change in its Reader, but Foxit says it will issue an updated Reader tomorrow, although it has not offered specifics about what it would do.