Upcoming Adobe Reader, Acrobat Update to Patch Sandbox Escape

Adobe announced security updates for Reader and Acrobat that likely include patches for a sandbox escape vulnerability. Google’s Project Zero released details and exploit code earlier this week.

Adobe is expected to update its Reader and Acrobat software next Tuesday as part of its scheduled security updates, and the updates will, according to an Adobe spokesperson, include patches for a Reader vulnerability disclosed this week by Google’s Project Zero.

Researcher James Forshaw, a well-known bug-hunter and Project Zero member, went public with details of a sandbox escape vulnerability in Reader as well as exploit code.

Per its policy, Google’s security research team discloses vulnerability details 90 days after it shares those details with the vendor in question. In this case, the vulnerability was partially addressed earlier by Adobe after it was reported in August. Adobe tweaked Reader in order to make exploiting the vulnerability much more difficult. The flaw, however, had not been patched.

In a pre-notification advisory published yesterday afternoon, Adobe said it will release a security update for Adobe Reader 11.0.09 and earlier, and 10.1.12 and earlier, as well as Acrobat 11.0.09 and earlier, and Acrobat 10.1.12 and earlier.

Forshaw said the vulnerability is a race condition in the handling of the MoveFileEx call hook in Adobe Reader.

“This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This allows code in the sandbox to write an arbitrary file to the file system,” Forshaw wrote in the Project Zero bug report.

Adobe’s adjustment to Reader in version 11.0.9 prevented the vulnerability from using the broker file system hooks to create directory junctions, Forshaw said.

Forshaw’s disclosure came a week after Adobe released an emergency security update for Flash Player.

The Nov. 25 update patched a code-execution vulnerability in Flash that was already being exploited in the Angler and Nuclear exploit kits, French researcher Kafeine discovered. Adobe thought it had patched the issue in question with its October security updates that addressed three memory-corruption vulnerabilities. The emergency patch resolved a fourth, CVE-2014-8439.

“These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution,” Adobe said in its advisory.

Suggested articles