Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Adobe Reader X sandbox bypassed by zero-day flaw

Russian firm reports flaw added to Blackhole Exploit Kit

Article comments

Criminals have gained access to a newly discovered flaw in Adobe’s Reader X program that can beat its sandboxing security isolation technology, Russian security firm Group-IB has claimed.

According to brief details posted on the company’s site, the zero-day vulnerability is now circulating in new versions of the notorious Blackhole Exploit Kit, the most significant distribution system for a host of malware types, including bank Trojans such as SypeEye and Zeus.

The fact that even patched versions of Reader X will be vulnerable to the flaw explains the reported price paid for knowledge of its workings, said to $30,000 to $50,000.

“For now this flaw is distributed only in only small circles of the underground but it has the potential for much larger post-exploitation methods,” noted Andrey Komarov of the Russian firm.

The malformed PDF exploitation described by Group-IB is not a perfect angle of attack and requires the user to close and re-open their browser before opening the file, a small inconvenience to undermine a protection mechanism – the sandbox – assumed until now to be a secure layer of protection. It does work without invoking Javascript, however.

First released in 2010, Reader X’s sandbox was designed to tighten up the woeful security that had afflicted the program until that point. It has largely succeeded, so much so that the sandboxing has been extended to programs such as Flash Player.

What isn’t clear is whether the sandbox vulnerability includes even recently-enhanced versions of the technology.

Adobe's Product Security Incident Response Team (PSIRT) has yet to respond to the flaw report.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *