Do you ever feel sorry for Adobe? I mean, yeah, it is hard to feel sorry for a multi-billion dollar corporation that likes to use closed standards and charge us for the privilege. But still, you have to feel for them; two of their products, Flash and Reader, are two of the most exploited programs out there. Indeed we have seen Flash vulnerabilities and now it is Reader’s turn.
A couple of years back Adobe introduced a new “sandbox” feature in Reader X to prevent vulnerabilities in Adobe Reader from affecting the rest of the system. The idea behind this sandbox was to limit the access scumbags could gain to your computer through Reader vulnerabilities or malicious PDF files. You know, sort of what like Sandboxie does. For the most part, this sandbox worked fairly well… until now.
Russian security firm Group-IB has announced the discovery of a vulnerability in Adobe Reader (the latest version and presumably all versions that have this sandboxing feature) on Windows that allows hackers to bypass Reader’s sandbox and gain access to your system, which can then be used to install malware on your computer. This malware can range from making your computer a botnet or for the purposes of stealing your bank account information (and thus your money) or whatever the hell the scumbags want to do.
The following video is a five minute demo of vulnerability:
According to Group IB, the vulnerability is being sold for $30,000-$50,000 to whomever has the money to buy. Fortunately, Group IB points out that the vulnerability is currently only circulating in “small circles of the underground” but can obviously be used to cause more havoc. In fact, the vulnerability has already been incorporated into Blackhole Exploit Kit, an underground toolkit of bank trojans and malware.
All isn’t lost, however. According to Andrey Komarov, the Head of International Projects Department of Group-IB, the vulnerability does have its limits…
The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document.
…but unfortunately even with the limits the vulnerability is still significant:
Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.
For its part, Adobe has issued a statement recognizing the allegations but has said that Adobe has not received any concrete information about the exploit and thus cannot issue any patch, yet:
We saw the announcement from Group IB, but we haven’t seen or received any details. Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately – beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.
It isn’t clear exactly when Adobe will be able to identify the vulnerability and issue a fix. In the meantime, to keep yourself protected you can either ditch Adobe for the competition (there are plenty of free PDF readers you can use, such as Sumatra PDF Reader) or simply avoid opening PDF files you don’t recognize.