Security Researchers Warn of New Zero-Day Adobe Reader Exploit

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Security experts say that a new Adobe Reader exploit has surfaced on the black market. Hackers are paying $30,000 to $50,000 for exploit kits which effectively sidestep Reader’s sandbox protections.

Computerworld’s Lucian Constantin reported, “Cybercriminals are using a new PDF exploit that bypasses the sandbox security features in Adobe Reader X and XI, in order to install banking malware on computers, according to researchers from Russian security firm Group-IB. The zero-day exploit — an exploit for a previously unknown and unpatched vulnerability — has been integrated into a privately modified version of Blackhole, a commercial Web-based attack toolkit, the Group-IB researchers announced Wednesday.”

According to SC Magazine’s Dan Kaplan, “Because of its ability to bypass the sandbox, this particular vulnerability already is being traded in select parts of the online black market and has a going rate of a pricey $30,000 to $50,000, researchers said.”

The Register quoted Group-IB’s Andrey Komarov, who said, “The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF document. Either way, the vulnerability is a very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.”

In the Krebs on Security blog, Brian Krebs wrote, “Adobe spokeswoman Wiebke Lips said the company was not contacted by Group-IB, and is unable to verify their claims, given the limited amount of information currently available. ‘Adobe will reach out to Group-IB,’ Lips said. ‘But without additional details, there is nothing we can do, unfortunately— beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.'”