"Analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability." said Websense, which first reported the flaw to Adobe.
According to vulnerability research firm Vupen Security, which first publicly disclosed the critical vulnerability, attackers could exploit the flaw "to crash an affected application or compromise a vulnerable system by tricking a user into opening a specially crafted PDF file."
Vupen said it confirmed the vulnerability affects Adobe Reader version 9.4 running on either Windows 7 or Windows XP SP3. In addition, it said Reader version 8.2.5 (and prior), Adobe Acrobat version 9.4 (and prior) and Adobe Acrobat version 8.2.5 (and prior) are also affected.
Adobe acknowledged a "potential" vulnerability and said that "arbitrary code execution has not been demonstrated, but may be possible." It also said that while Reader was affected, Acrobat was not.
Websense said that, to date, no attacks using the exploit have been seen in the wild.
Adobe is set to release patched versions of Adobe Reader and Acrobat versions 9.x the week of Nov. 15.