The advice is timely, as noted bug researcher and exploit maker HD Moore confirmed that an exploit would be published to the open-source Metasploit penetration testing framework within a day or two.
But if Moore's preliminary work is any indication, attack code will go public long before then. “It is a little tricky to make reliable, but we are on track and should have a Metasploit update ready within a day or two at the latest,” Moore said, referring to the probable release of an exploit module for the testing framework. Moore obtained a sample of the malicious PDF document being used to exploit the bug only this morning.
Moore also defended Metasploit's practice of providing working exploit code to anyone, including hackers. “Since the bug is 1) public and 2) widely exploited, we feel that adding an exploit module is the right thing to do, as it provides a safe way for folks to verify that their mitigation efforts actually work,” said Moore.
Adobe will release its own in-lieu-of-patch recommendations later today, said Brad Arkin, Adobe's director for product security and privacy, in a direct tweet to Computerworld. “Full advisory coming later today with mitigation details,” Arkin said around 3 p.m. Eastern. “Team is pulling that info together now.”
Earlier today, Arkin told IDG News Service reporter Bob McMillan that the exploit targeted Windows users only. “It may trigger a crash on other platforms, but not an exploit,” Arkin said in a direct tweet to McMillan.
Adobe Reader and Acrobat run on Windows, Mac OS X and Linux.