Interesting. I didn’t notice where it mentioned adobe reader. So did they use one exploit to get to another?
Yes.
Here’s an analysis of the Adobe exploit:
http://isc.sans.org/diary.html?storyid=7867
BTW — I detest Javascript for this reason. I wish it had never been invented, along with ActiveX. Two huge gaping holes in browser security right there.
BTW2: I’ve been out of the day-to-day security loop for at least seven years now, but IMO, this attack has all the hallmarks of a pro operation. This wasn’t a bunch of kids out for goofs and grins and “l33t warez” — this was an engineered & co-ordinated attack, by serious people.