Malware, Vulnerability Management

Adobe Reader exploit fetching up to $50k in underground

Russian security researchers say they have come across a vulnerability in the latest versions of Adobe Reader that is being sold in the criminal underground.

The Moscow-based incident response firm Group-IB announced Wednesday that the vulnerability is able to evade a built-in sandboxing protection that was introduced with Adobe Reader X. This capability is designed to mitigate attacks against Reader by forcing operations that display PDF files to the user to be run inside a confined environment.

Because of its ability to bypass the sandbox, this particular vulnerability already is being traded in select parts of the online black market and has a going rate of a pricey $30,000 to $50,000, researchers said. It's also been packaged into specialized versions of the popular BlackHole exploit kit.

There is some saving grace, however. Researchers said that for the payload to execute, a user must close their web browser and then restart it.

Group-IB has posted a video on YouTube of a proof-of-concept exploit that takes advantage of the vulnerability, the news of which was first reported by security blogger Brian Krebs.

An Adobe representative said the company was awaiting more details before deciding how to respond.

"We saw the announcement from Group IB, but we haven't seen or received any details," Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email on Wednesday evening. "Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."

UPDATE: Lips tells SCMagazine.com on Thursday that Adobe has touched base with Group-IB. "We received a response from Group-IB this morning and are now in communication so we can make a determination on whether or not this is in fact a vulnerability and a sandbox bypass. I will update you as soon as we have the information we need to be able to make that determination."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.