Adobe said today it has been in contact with the Russian security company Group-IB, which discovered a zero-day vulnerability in Adobe Reader and yesterday reported the existance of a pricey exploit circulating on the black market.
The exploit, according to Group-IB, bypasses Adobe’s sandbox protection in Reader, and is selling for upwards of $50,000. Group-IB head of international projects Andrey Komarov said attackers are using malformed PDF documents with specially crafted forms to get shellcode on compromised machines.
“We received a response from Group IB this morning and are now in communication so we can make a determination on whether or not this is in fact a vulnerability and a sandbox bypass,” said Adobe senior manager of corporate communications Wiebke Lips.
While the exploit is expensive and currently has limited availability underground, Komarov said, it has been added to the Black Hole Exploit Kit. Version 2.0 of Black Hole was released in September with a host of new features, including random domain generation and exploits targeting Java and other methods used to execute drive-by downloads and other Web-based attacks. Given the exploit’s lack of general availability, it’s unlikely it has been added to the commercial version of Black Hole, and more likely a customized version.
“For now, this flaw is distributed only in small circles of the underground but it has the potential for much larger post-exploitation methods,” Komarov said.
Komarov added that there are limitations to the exploit. He said a successful exploitation requires the user to close and restart their browser.
“The vulnerability has a very significant vector to be spread with bypassing of the internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” Komarov said.
Adobe recently upgraded Reader XI and Acrobat XI with better sandbox functionality and a feature that forces DLLs loaded by those applications to use address space layout randomization (ASLR), a capability that reduces the risk of memory corruption attacks. Sandbox protection processes untrusted content before it’s exposed to the underlying system.
Krebs on Security reported that the author of Black Hole confirmed the exploit was in circulation and not widely available. He added that the Black Hole author was hopeful to include it in the exploit kit soon. Regardless, should the attack find its way into an available exploit kit, it would put any number of large enterprises, manufacturers, government agencies and military organizations at risk. Zero-days such as this one are central to targeted attacks against high-value intellectual property.
“The good news is that the exploit costs $50,000, which limits the purchase of it to defense contractors, nation states and some criminal organizations that may be able to recoup the cost of purchase,” said Marcus Carey, security researcher with Rapid7. “It’s good that Group-IB has publicly disclosed this vulnerability in Adobe, and hopefully Adobe will be able to get their hands on this exploit and patch it as soon as possible to safeguard customers.”
Carey advises users who do not need the Adobe plug-in to disable it and be cautious about opening PDF attachments.
“Once this exploit is available to the public, there is potential for it to be added to Black Hole and other exploit kits and it may even be improved from its current state for malicious intent to address multiple platforms,” Carey said.