Adobe Reader X sandbox bypassed by zero-day flaw

Russian firm reports flaw added to Blackhole Exploit Kit

Criminals have gained access to a newly discovered flaw in Adobe's Reader X program that can beat its sandboxing security isolation technology, Russian security firm Group-IB has claimed.

According to brief details posted on the company's site, the zero-day vulnerability is now circulating in new versions of the notorious Blackhole Exploit Kit, the most significant distribution system for a host of malware types, including bank Trojans such as SypeEye and Zeus.

The fact that even patched versions of Reader X will be vulnerable to the flaw explains the reported price paid for knowledge of its workings, said to $30,000 to $50,000.

"For now this flaw is distributed only in only small circles of the underground but it has the potential for much larger post-exploitation methods," noted Andrey Komarov of the Russian firm.

The malformed PDF exploitation described by Group-IB is not a perfect angle of attack and requires the user to close and re-open their browser before opening the file, a small inconvenience to undermine a protection mechanism - the sandbox - assumed until now to be a secure layer of protection. It does work without invoking Javascript, however.

First released in 2010, Reader X's sandbox was designed to tighten up the woeful security that had afflicted the program until that point. It has largely succeeded, so much so that the sandboxing has been extended to programs such as Flash Player.

What isn't clear is whether the sandbox vulnerability includes even recently-enhanced versions of the technology.

Adobe's Product Security Incident Response Team (PSIRT) has yet to respond to the flaw report.

Join the CSO newsletter!

Error: Please check your email address.

Tags Group-IBPersonal Techsecurity

More about Adobe Systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place