Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Vulnerability in Adobe Reader Discovered

Researchers at Group-IB have discovered a new vulnerability in Adobe Reader that is being sold on criminal forums. The moderate price, $30,000 – $50,000, likely reflects some of the limitations the vulnerability has to cope with.

According to Group-IB’s initial disclosure, the vulnerability is being sold to a limited circle of criminals, and has already been added to custom versions of the Blackhole Exploit Kit.

Researchers at Group-IB have discovered a new vulnerability in Adobe Reader that is being sold on criminal forums. The moderate price, $30,000 – $50,000, likely reflects some of the limitations the vulnerability has to cope with.

According to Group-IB’s initial disclosure, the vulnerability is being sold to a limited circle of criminals, and has already been added to custom versions of the Blackhole Exploit Kit.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document,” explained Andrey Komarov, the Head of International Projects Department of Group-IB

“Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.”

A video showing the vulnerability in action can be seen below.

Adobe is aware of the vulnerability, thanks to members of the media bringing it to their attention, but the company hasn’t outlined any plans for a fix, and they’ve made no further comment on the issue.

“Right now, this exploit isn’t a wide-spread threat to most consumers; however, it could be a concern to large organizations and government agencies that are susceptible to highly targeted attacks that frequently use exclusive 0day exploits,” said Rapid7’s Marcus Carey.

Just yesterday, Adobe pushed a number of patches for Flash Player.

According to a recent report from Kaspersky Lab, after Java, software from Adobe is still a major target for criminals. Kaspersky’s Q3 2012 Threat Report shows that nearly 30% of all third-party exploits target Adobe software.

The upside to all of this is that Adobe has gotten better at releasing patches, and the window of opportunity for new flaws has started to shrink thanks to their efforts.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.