November 24, 2010 – Update:
Looking for other exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains: filepdf.php@v=zday
The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF):
November 22 , 2010 – update:
Some interesting (and useful) notes about the original full disclosure PDF PoC published on full disclosure mailing list:
Who’s looking for eggs in your PDF?
November 19, 2010:
This is my latest result. Seem that with a crafted PDF as explained by Haifei Li in his paper (see previous posts for reference), the code flow looks like could be hijacked. At least I have this impression from the debugger response as you can see in this screen shot:
feedback and suggestion are welcome. Some notes: this is only an attempt to try to understand better this issue. My mistakes in this stage are very likely.