Brian Krebs of KrebsonSecurity.com warns that Group-IB, a computer security company based in Russia, claims to have discovered a new zero-day vulnerability in Adobe Reader X and XI that completely bypasses its built-in sandbox protection.
As if that news alone weren’t bad enough, Group-IB says that the vulnerability is up for sale in the criminal underground for $50,000 and has been added to a new, custom version of the infamous BlackHole Exploit Kit.
Frequent readers will recognize the BlackHole Exploit Kit name, as it is widely-used by cybercriminals and is often the driving force behind majority of drive-by-download attacks that we post warnings about.
The only limitations associated with this new zero day are the facts that it cannot be fully executed until the user closes their web browser or Reader window, and the attack has only been seen working against Windows.
Which, speaking of seeing things, Group-IB created a video demonstrating a “sanitized” version of the attack:
As for Adobe’s take on this, SCMagazine reports that the Adobe PSIRT (Product Security Incident Response Team) is communicating with Group-IB to determine whether or not this is in fact vulnerability and a sandbox bypass.
In the meantime, users should avoid downloading (and opening) random PDF files and maybe take a gander at other PDF readers Krebs suggests like Foxit, PDF-Xchange Viewer, Nitro PDF, and Sumatra PDF. Disabling the PDF reader browser plug-in won’t eliminate all threats since trojanized PDFs that are downloaded and opened will still result in a successful attack.