Alleged zero day first to bust Adobe's Reader sandbox

Adobe's sandbox, which it introduced in Reader X, may have have finally been defeated, with a zero day reportedly on sale on underground markets for as much as US$50,000.
Written by Michael Lee, Contributor

Russian cybercrime investigation firm Group-IB claims to have discovered a zero-day vulnerability that bypasses Adobe's as-yet-unbroken sandbox protections in Reader X and XI.

Group-IB head of International Projects Department Andrey Komarov said that the necessary code to exploit the vulnerability has been included in a modified version of the popular Blackhole exploit kit, and that it has been sighted for sale within small underground hacking communities for between US$30,000 and US$50,000.

The group has posted a YouTube video demonstrating the vulnerability on a fully patched version of Reader XI.

Although Reader has been the target of several attacks, it appears to have struck on a winning security combination of using sandboxes to isolate attacks to stop them from taking control of the underlying operating system. Since Reader X's release, it has enjoyed an untarnished record where the sandbox is enabled and users have only suffered from vulnerabilities because they refuse to update for their own safety.

However, if Group-IB's claims are true, this latest vulnerability will change all of that, reopening Reader to attack.

Komarov made the remark that criminals will jump at this chance, as "in the past, there was no documented method of how to bypass it with shellcode execution."

ZDNet contacted Adobe for comment, but did not receive a response at the time of writing.

The allegations of a new zero day come as Adobe moves to align its patching cycles with Microsoft's "Patch Tuesday" schedule, which some have called long overdue. However, the company has been holding its customers' hands a little tighter in recent times, providing more specific advice to users and administrators as to when and why they should patch.

Editorial standards