Adobe released patches for its Reader and Acrobat programs last Wednesday, but there's reason to suspect that the company has closed the barn door long after the cattle fled. According to a blog entry at the SANS Internet Storm Center, this particular vulnerability has been exploited in the wild for several weeks. In this case, hackers use malicious banner ads as a host for an infected PDF. The PDF then installs the Zonebac Trojan, which sets to work deactivating antivirus products, modifying search results, and changing banner ads.

Adobe's 8.12 update supposedly plugs the loopholes that the Zonebac delivery system exploited, but the company has declined to give any information on what, exactly, the update changed. The lack of information is disappointing (though not surprising), but Adobe's failure to address the issue in a timely manner raises questions about the firm's commitment to security. An 18-day gap between the appearance of a verified exploit and the release of a patch isn't exactly impressive, and this particular issue had been on Adobe's radar for months. iDefense Labs first reported the existence of this particular buffer overflow vulnerability in early October 2007.

The attack has raised some questions regarding the security of the PDF standard—Symantec researcher Hon Lau discusses the relevant PDF vulnerability in his blog before rhetorically asking: "With more and more of these attacks happening, how much longer will it be before people implicitly attach a higher risk association to PDF files and avoid them altogether?"

To answer his question, some of us already do. While there's not a whole lot of evidence suggesting that the PDF standard is under concerted attack, there mere existence of these exploits affects perception of them, and Adobe is doing itself no favors. Granted, we still know far, far more people who were infected via JPGs, DOCs, and the like, but this isn't Adobe's first high-profile security issue. Hon Lau covered a different cross-scripting attack that also exploited a PDF vulnerability back in January 2007. Ironically, Adobe recommended users update to Reader 8 as one way of solving the problem.

Given the file format's popularity and ubiquity, Adobe has a very strong interest in keeping PDF as secure as possible; if it fails to do so, it opens the door for competing standards such as Microsoft's XML Paper Specification (XPS). These recent attacks, in and of themselves, aren't enough to steer businesses away from a trusted format they may have been using for decades, but Adobe may need to adjust the way in which it communicates with customers and the speed with which it delivers its security patches. PDF files have been traditionally represented as safe for download or viewing, which makes the need to stay ahead of hackers—rather than nearly three weeks behind them—all the more important.