Earlier this month, we wrote about an alleged Adobe Reader 0-day security hole discovered by Group IB security researchers that allows an attacker to jump out of the sandbox and execute shellcode with the help of malformed PDF documents. At the time, the code was apparently already selling on the black market for “approximately 30 000 – 50 000 USD.” Adobe told us it was investigating, and the story hasn’t moved forward since, until now.
While doing my usual security scavenging on the Web, I stumbled upon this video, which shows two researchers successfully getting out of Adobe Reader’s sandbox (introduced in version 10, and of course still present in the latest version 11):
The video’s description doesn’t offer much detail:
Kris and I bring to you: how to bypass the latest Adobe Reader sandboxing technology (well, as of 11.0.0) to run calc.exe! ;) The vulnerability lies in a use-after-free bug when the sandbox process communicates with the reader broker process.
As such, I pinged Adobe, thinking that the two issues may be related. It turns out they are one and the same, and this video was simply posted just a few days after the first one from Group IB. The comments suggest Kris Kaspersky simply decided to take credit for the finding after the security company released details regarding the flaw.
So, why hasn’t the hole been plugged yet? Adobe tells TNW that Group IB isn’t being very cooperative:
We are aware of the claim by Kris Kaspersky and Group IB. We have been in communication with both Kris Kaspersky and Group IB since November 8 to make a determination whether or not this is in fact a vulnerability and a sandbox bypass. To this day, we have not yet received a Proof-of-Concept/sample. Without it, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always. We will update you as soon as we have new information and a determination can be made.
In other words, Adobe either needs to convince Group IB to cooperate, or find the issue on its own. Time is running out.
Group IB originally claimed that the vulnerability was already included in a new custom version of the Blackhole Exploit Kit, the most popular Web threat tool for distributing various other types of malware with the help of many different types of exploits. It’s only a matter of time before the official version will soon have it.