Sandbox-busting Adobe Reader zero-day bundled in Blackhole

The latest sandboxed versions of Adobe Reader are vulnerable to a zero day that has been packaged with a version of the Blackhole exploit kit, according to Russian security firm, Group-IB.

The company says an exploit, using a zero day flaw affecting Adobe Reader X and XI, overcomes the sandboxing protections Adobe began implementing in its Reader products released since 2010.

The company released a You Tube video displaying how the exploit worked.

Adobe tapped Google and Microsoft in 2009 to kickstart its sandboxing efforts for Reader, which today remains the second most targeted software, according to Kaspersky Lab’s Q3 2012 threat report.

Group IB says the zero day is being sold in “small circles of the underground” for between US$30,000 and US$50,000 and that it has been packaged with the infamous exploit kit, Blackhole, typically associated with trojan attacks on banking customers.

The company’s statement provides little detail about how the exploit overcomes Adobe’s sandboxed “Protected Mode”, which is meant to thwart exploits by presenting details in a PDF in an isolated container.

If Group IB’s discovery is confirmed and Adobe patches it, it would end the software maker’s two year run on zero real attacks against the sandboxed versions of Reader. Just last month Adobe announced it had “not seen any exploits in the wild that break out of the Adobe Reader and Acrobat X sandbox.”

Group-IB announced its find and the You Tube video before alerting Adobe to the flaw, which itself had no details about the claimed vulnerability on Wednesday.

“We have not actually received a report with details to confirm the finding,” Adobe spokesperson, Wiebke Lips told CSO.com.au.

“We saw the claim from Group IB, but we haven’t received any details. Adobe PSIRT has reached out to Group-IB. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

A few hours later however Group IB US spokesperson Dan Clemente told CSO.com.au that it had advised Adobe of the flaw.

Clemente said the flaw appears to only affect Adobe Reader, adding that "yes, it was communicated to Adobe."

Group-IB’s head of international projects Andrey Komarov has said the vulnerability can only be exploited after the user closes and re-launches the browser while another variant relies on social engineering.

“Either way, the vulnerability is a very significant vector, bypassing the internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: adobe reader, sandbox

Heartbleed panic drives flood of enquiries to Symantec's Melbourne CA

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

Skilled Accountants in Narangba

1

I think the author's writing is very good, although the point of view a little bit different, but really is a good article, and the author can hope to have time to discuss some problems.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Risk Management Solutions

Protect resources and ensure security compliance through incident detection, response, and remediation.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.