Russian security firm Group-IB has found a zero-day flaw in Adobe Reader that bypasses the program's sandbox protection. Currently available on the black market for $30,000 to $50,000, the exploit allows attackers to sidestep the application's "Protected Mode," which was added in 2010 as a method of limiting what malicious files can do and access. Until now, this has been effective at blocking PDF arbitrary code exploits.
Naturally, once the sandbox is defeated, an attacker has greater freedom to pull other shenanigans. Group-IB specifically notes that it has seen the vulnerability used alongside a modified version of the "Blackhole Exploit-Kit," which is used to distribute banking Trojans such as Zeus, Spyeye, Carberp and Citadel. However, given that it's being sold among cybercriminals, attackers could be using the flaw with other malicious software.
"Either way, the vulnerability has a very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution," Group-IB said. Adobe's Product Security Incident Response Team has been made aware of the bug, but the company hasn't said when a fix might be made available. Given the nature of the vulnerability, it wouldn't be surprising if Adobe released a prompt out-of-band update.