Security firm McAfee said it has spotted a vulnerability in the latest version of Adobe Reader that would allow someone to track a PDF document.
The flaw, which is being exploited in the wild, affects all versions of Reader, including the most recent, 11.0.2. While the hole does not enable remote code execution – the most serious outcome a vulnerability can have – it can permit a sender "to see when and where the PDF is opened," McAfee researcher Haifei Li wrote in a Friday blog post.
And researchers haven't ruled out whether the flaw is being used as part of an advanced persistent threat (APT)-style attack.
"Is this a serious problem?" Li wrote. "No, we don't want to overvalue the issue. However, we do consider this issue a security vulnerability. Considering this, we have reported the issue to Adobe and we are waiting for their confirmation and a future patch."
Li said McAfee is aware of the issue being actively leveraged. It has spotted a number of PDF samples sent by an email tracking service provider. Researchers, however, are unsure if this was done with malicious intentions.
But the vulnerability, which is able to bypass built-in Reader sandbox protection, could be used in such a way, namely for an APT, Li said.
"An APT attack usually consists of several sophisticated steps," Li wrote. "The first step is often collecting information from the victim; this issue opens the door. Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, internet service provider, or even the victim's computing routine. In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs. For example, the document's location on the system could be obtained by calling the JavaScript 'this.path' value."
An Adobe spokeswoman told SCMagazine.com on Monday that the company is aware of the issue and is investigating.