A Russian security company has found a zero-day vulnerability in the latest versions of Adobe’s PDF reader software that’s fetching between $30K and $50K on the black market.
The exploit, is reportedly being used to install banking malware, is also packaged up in the new version of the Blackhole Exploit Kit, used to distribute the banking Trojans Zeus, Spyeye, Carberp, and Citadel.
That could turn a big problem into a bigger and more widespread one. As it is, notes KrebsonSecurity, Blackhole is currently the most prevalent exploit kit in use.
The security firm, Group-IB announced the vulnerability on Wednesday.
The researchers said that the vulnerability is able to get around the built-in sandboxing protection that Adobe added to its Reader application with the release of version X (version 10) in July, in an attempt to keep potentially malicious PDF files at arm’s distance from the operating system by running them in a confined environment.
Andrey Komarov, the Head of International Projects Department at Group-IB, said in the announcement that the vulnerability has great appeal for cybercriminals, given that it’s the first time they’ve found a way to bypass Adobe X’s sandbox, which is also built into the latest Adobe Reader XI (version 11):
"[It's a] very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution."
One factor that could mitigate the seriousness of the zero-day is that the vulnerability can only be successfully exploited after a user closes and restarts the browser.
Another way to exploit the vulnerability, Komarov said, is to trick a victim into opening a malformed PDF document.
So far, Group-IB has only seen the attack work against Microsoft Windows installations of Adobe Reader, Krebs reports.
Adobe spokeswoman Wiebke Lips told SC Magazine that the company had reached out to the researchers but hadn’t heard back as of Wednesday evening and was waiting for more details before deciding how to respond:
"We saw the announcement from Group IB, but we haven't seen or received any details. Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately - beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."
Adobe hadn’t responded to my request for an update or with advice for how to mitigate the danger by the time this posted.
This time around, Adobe obviously can’t rely on sandboxing to keep users safe while it postpones a fix. Hopefully, they’ll get details soon and get an emergency fix out ASAP.
In the meantime, avoid opening unsolicited PDFs.