Adobe Reader X sandbox bypassed by zero-day flaw

Russian firm reports flaw added to Blackhole Exploit Kit

Criminals have gained access to a newly discovered flaw in Adobe's Reader X program that can beat its sandboxing security isolation technology, Russian security firm Group-IB has claimed.

According to brief details posted on the company's site, the zero-day vulnerability is now circulating in new versions of the notorious Blackhole Exploit Kit, the most significant distribution system for a host of malware types, including bank Trojans such as SypeEye and Zeus.

The fact that even patched versions of Reader X will be vulnerable to the flaw explains the reported price paid for knowledge of its workings, said to $30,000 to $50,000.

"For now this flaw is distributed only in only small circles of the underground but it has the potential for much larger post-exploitation methods," noted Andrey Komarov of the Russian firm.

The malformed PDF exploitation described by Group-IB is not a perfect angle of attack and requires the user to close and re-open their browser before opening the file, a small inconvenience to undermine a protection mechanism - the sandbox - assumed until now to be a secure layer of protection. It does work without invoking Javascript, however.

First released in 2010, Reader X's sandbox was designed to tighten up the woeful security that had afflicted the program until that point. It has largely succeeded, so much so that the sandboxing has been extended to programs such as Flash Player.

What isn't clear is whether the sandbox vulnerability includes even recently-enhanced versions of the technology.

Adobe's Product Security Incident Response Team (PSIRT) has yet to respond to the flaw report.

Tags: Personal Tech, Group-IB, security

While Heartbleed distracts, hackers hit US universities

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security That Fits

Improve the effectiveness of your security or get unique network threat discovery and remediation

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.