Alleged zero day first to bust Adobe's Reader sandbox

Summary:Adobe's sandbox, which it introduced in Reader X, may have have finally been defeated, with a zero day reportedly on sale on underground markets for as much as US$50,000.

Russian cybercrime investigation firm Group-IB claims to have discovered a zero-day vulnerability that bypasses Adobe's as-yet-unbroken sandbox protections in Reader X and XI.

Group-IB head of International Projects Department Andrey Komarov said that the necessary code to exploit the vulnerability has been included in a modified version of the popular Blackhole exploit kit, and that it has been sighted for sale within small underground hacking communities for between US$30,000 and US$50,000.

The group has posted a YouTube video demonstrating the vulnerability on a fully patched version of Reader XI.

Although Reader has been the target of several attacks, it appears to have struck on a winning security combination of using sandboxes to isolate attacks to stop them from taking control of the underlying operating system. Since Reader X's release, it has enjoyed an untarnished record where the sandbox is enabled and users have only suffered from vulnerabilities because they refuse to update for their own safety.

However, if Group-IB's claims are true, this latest vulnerability will change all of that, reopening Reader to attack.

Komarov made the remark that criminals will jump at this chance, as "in the past, there was no documented method of how to bypass it with shellcode execution."

ZDNet contacted Adobe for comment, but did not receive a response at the time of writing.

The allegations of a new zero day come as Adobe moves to align its patching cycles with Microsoft's "Patch Tuesday" schedule, which some have called long overdue . However, the company has been holding its customers' hands a little tighter in recent times, providing more specific advice to users and administrators as to when and why they should patch.

Topics: Security, Malware

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.