Adobe Reader exploit fetching up to $50k in underground

Share this article:

Russian security researchers say they have come across a vulnerability in the latest versions of Adobe Reader that is being sold in the criminal underground.

The Moscow-based incident response firm Group-IB announced Wednesday that the vulnerability is able to evade a built-in sandboxing protection that was introduced with Adobe Reader X. This capability is designed to mitigate attacks against Reader by forcing operations that display PDF files to the user to be run inside a confined environment.

Because of its ability to bypass the sandbox, this particular vulnerability already is being traded in select parts of the online black market and has a going rate of a pricey $30,000 to $50,000, researchers said. It's also been packaged into specialized versions of the popular BlackHole exploit kit.

There is some saving grace, however. Researchers said that for the payload to execute, a user must close their web browser and then restart it.

Group-IB has posted a video on YouTube of a proof-of-concept exploit that takes advantage of the vulnerability, the news of which was first reported by security blogger Brian Krebs.

An Adobe representative said the company was awaiting more details before deciding how to respond.

"We saw the announcement from Group IB, but we haven't seen or received any details," Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email on Wednesday evening. "Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."

UPDATE: Lips tells SCMagazine.com on Thursday that Adobe has touched base with Group-IB. "We received a response from Group-IB this morning and are now in communication so we can make a determination on whether or not this is in fact a vulnerability and a sandbox bypass. I will update you as soon as we have the information we need to be able to make that determination."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.