Sandbox-busting Adobe Reader zero-day bundled in Blackhole

The latest sandboxed versions of Adobe Reader are vulnerable to a zero day that has been packaged with a version of the Blackhole exploit kit, according to Russian security firm, Group-IB.

The company says an exploit, using a zero day flaw affecting Adobe Reader X and XI, overcomes the sandboxing protections Adobe began implementing in its Reader products released since 2010.

The company released a You Tube video displaying how the exploit worked.

Adobe tapped Google and Microsoft in 2009 to kickstart its sandboxing efforts for Reader, which today remains the second most targeted software, according to Kaspersky Lab’s Q3 2012 threat report.

Group IB says the zero day is being sold in “small circles of the underground” for between US$30,000 and US$50,000 and that it has been packaged with the infamous exploit kit, Blackhole, typically associated with trojan attacks on banking customers.

The company’s statement provides little detail about how the exploit overcomes Adobe’s sandboxed “Protected Mode”, which is meant to thwart exploits by presenting details in a PDF in an isolated container.

If Group IB’s discovery is confirmed and Adobe patches it, it would end the software maker’s two year run on zero real attacks against the sandboxed versions of Reader. Just last month Adobe announced it had “not seen any exploits in the wild that break out of the Adobe Reader and Acrobat X sandbox.”

Group-IB announced its find and the You Tube video before alerting Adobe to the flaw, which itself had no details about the claimed vulnerability on Wednesday.

“We have not actually received a report with details to confirm the finding,” Adobe spokesperson, Wiebke Lips told CSO.com.au.

“We saw the claim from Group IB, but we haven’t received any details. Adobe PSIRT has reached out to Group-IB. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

A few hours later however Group IB US spokesperson Dan Clemente told CSO.com.au that it had advised Adobe of the flaw.

Clemente said the flaw appears to only affect Adobe Reader, adding that "yes, it was communicated to Adobe."

Group-IB’s head of international projects Andrey Komarov has said the vulnerability can only be exploited after the user closes and re-launches the browser while another variant relies on social engineering.

“Either way, the vulnerability is a very significant vector, bypassing the internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” he said.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.