Just one day after Adobe patched flaws in its Flash Player software for Windows, OS X, Linux, and Android, Group IB security researchers claim to have discovered a 0-day security hole in Adobe Reader X which can execute shellcode with the help of malformed PDF-documents using specially crafted forms. Furthermore, the vulnerability code is already on sale on the black market for “approximately 30 000 – 50 000 USD” although it’s apparently only being distributed in “small circles of the underground.” For its part, Adobe says it is investigating.
Here’s the proof of concept (reportedly limited to Windows):
Andrey Komarov, the Head of International Projects Department of Group-IB, explains that the big deal is because the vulnerability allows you to jump out of the sandbox, which was first introduced in Adobe Reader X:
The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.
In other words, on its own it doesn’t amount to much. That being said, if this flaw is chained together with another one, and we all know problematic Adobe’s products have been in recent years when it comes to security, it won’t be pretty.
In fact, Group IB claims the vulnerability is already included in a new custom version of the Blackhole Exploit Kit, the most popular Web threat tool for distributing various other types of malware with the help of many different types of exploits. The official version, however, doesn’t have it, but it will soon, according to Brian Krebs:
Contacted via instant message, the author of the Black Hole exploit kit said today that he also had confirmed the existence of a private Adobe Reader exploit that was being sold in closed circles. He noted that although his kit currently does not include the exploit, he is hoping to acquire it and add it soon.
The thought of this alone makes me want to recommend that you avoid using Adobe Reader unless you absolutely have to (I personally use Foxit). At the very least, use an alternative until Adobe gets to the bottom of this.
Unfortunately, the company says it was not contacted by Group-IB and thus is unable to verify whether this 0-day exists. An Adobe spokesperson told The Next Web:
We saw the announcement from Group IB, but we haven’t seen or received any details. Adobe PSIRT has reached out to Group-IB. Without additional details, there is nothing we can do, unfortunately, beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.
Now we wait.
Image credit: Robert Linder