Security Experts:

New Vulnerability in Adobe Reader Discovered

Researchers at Group-IB have discovered a new vulnerability in Adobe Reader that is being sold on criminal forums. The moderate price, $30,000 - $50,000, likely reflects some of the limitations the vulnerability has to cope with.

According to Group-IB’s initial disclosure, the vulnerability is being sold to a limited circle of criminals, and has already been added to custom versions of the Blackhole Exploit Kit.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document,” explained Andrey Komarov, the Head of International Projects Department of Group-IB

“Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.”

A video showing the vulnerability in action can be seen below.

Adobe is aware of the vulnerability, thanks to members of the media bringing it to their attention, but the company hasn’t outlined any plans for a fix, and they’ve made no further comment on the issue.

“Right now, this exploit isn’t a wide-spread threat to most consumers; however, it could be a concern to large organizations and government agencies that are susceptible to highly targeted attacks that frequently use exclusive 0day exploits,” said Rapid7’s Marcus Carey.

Just yesterday, Adobe pushed a number of patches for Flash Player.

According to a recent report from Kaspersky Lab, after Java, software from Adobe is still a major target for criminals. Kaspersky’s Q3 2012 Threat Report shows that nearly 30% of all third-party exploits target Adobe software.

The upside to all of this is that Adobe has gotten better at releasing patches, and the window of opportunity for new flaws has started to shrink thanks to their efforts.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.