October 30, 2014

Adobe Reader PDF zero-day exploit selling for $50,000 on black market

(LiveHacking.Com) – Although Adobe added sandboxing to Adobe Reader X it still seems that malicious hackers are find ways of compromising the security of computers via specially formed PDF files. Russian security  firm Group-IB has announced that there is a new zero-day exploit for the popular PDF file reader which is being sold in the underground for up to $50,000. The exploit, which targets Windows-based installations of Adobe X and IX, has also been included in a modified version of the notorious BlackHole exploit toolkit.

At the moment the exploit is only being distributed in a small circles of underground hackers but, of course, there is every possibility that its use will become wide spread. The new unpatched zero day threat allows malware writers and bot authors further opportunities to create new attacked vectors by which malware can be loaded into a victims computer.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” said Andrey Komarov, the Head of International Projects Department of Group-IB.

A video showing a proof of concept can be seen here: http://www.youtube.com/watch?v=uGF8VDBkK0M&feature=youtu.be. As the video shows, for the payload to run the web browser needs to be restarted. This means that the malware might not infect the PC at the moment the PDF file is opened, but it will most likely succeed at a future time whenever the web browser is closed.

“We saw the announcement from Group IB, but we haven’t seen or received any details,” Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email. “Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Brian Krebs has pointed out that Blackhole is by far the most prevalent exploit kit in use today. At any rate, consumers should realize that there are several PDF reader option apart from Adobe’s,  including FoxitPDF-Xchange Viewer,Nitro PDF and Sumatra PDF.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks