Russian security firm Group-IB has found a zero-day flaw in Adobe Reader that bypasses the program's sandbox protection. Currently available on the black market for $30,000 to $50,000, the exploit allows attackers to sidestep the application's "Protected Mode," which was added in 2010 as a method of limiting what malicious files can do and access. Until now, this has been effective at blocking PDF arbitrary code exploits.
Naturally, once the sandbox is defeated, an attacker has greater freedom to pull other shenanigans. Group-IB specifically notes that it has seen the vulnerability used alongside a modified version of the "Blackhole Exploit-Kit," which is used to distribute banking Trojans such as Zeus, Spyeye, Carberp and Citadel. However, given that it's being sold among cybercriminals, attackers could be using the flaw with other malicious software.
On the bright side, there are some limitations to the flaw, which is present in Adobe Reader X and XI. For starters, Group-IB says the exploit can be used to target Reader through Internet Explorer and Firefox, but not Chrome, due to additional security measures. Additionally, the exploit only works when users close and restart their browser after loading a malicious PDF, as demonstrated in the YouTube video below. Less comfortingly, Group-IB notes that the new exploit works even if JavaScript support is disabled in Adobe Reader.
"Either way, the vulnerability has a very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution," Group-IB said. Adobe's Product Security Incident Response Team has been made aware of the bug, but the company hasn't said when a fix might be made available. Given the nature of the vulnerability, it wouldn't be surprising if Adobe released a prompt out-of-band update.
