Adobe Reader exploit fetching up to $50k in underground

Share this article:

Russian security researchers say they have come across a vulnerability in the latest versions of Adobe Reader that is being sold in the criminal underground.

The Moscow-based incident response firm Group-IB announced Wednesday that the vulnerability is able to evade a built-in sandboxing protection that was introduced with Adobe Reader X. This capability is designed to mitigate attacks against Reader by forcing operations that display PDF files to the user to be run inside a confined environment.

Because of its ability to bypass the sandbox, this particular vulnerability already is being traded in select parts of the online black market and has a going rate of a pricey $30,000 to $50,000, researchers said. It's also been packaged into specialized versions of the popular BlackHole exploit kit.

There is some saving grace, however. Researchers said that for the payload to execute, a user must close their web browser and then restart it.

Group-IB has posted a video on YouTube of a proof-of-concept exploit that takes advantage of the vulnerability, the news of which was first reported by security blogger Brian Krebs.

An Adobe representative said the company was awaiting more details before deciding how to respond.

"We saw the announcement from Group IB, but we haven't seen or received any details," Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email on Wednesday evening. "Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."

UPDATE: Lips tells SCMagazine.com on Thursday that Adobe has touched base with Group-IB. "We received a response from Group-IB this morning and are now in communication so we can make a determination on whether or not this is in fact a vulnerability and a sandbox bypass. I will update you as soon as we have the information we need to be able to make that determination."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.