First Adobe Reader 0-Day Bypassing Sandbox Protection In The Wild
Few Days ago, a Trend Micro Research Paper on the Russian Underground gave a scary landscape of the Underground Black Market showing that every hacking tool and service can be found at dramatically cheap prices in a sort of democratization of Cyber Crime.
Today the news related to the discovery of an unknown 0-day vulnerability targeting Adobe Reader X and XI, confirms that the underground market follows the same rules than the real economy: premium products (read 0-day vulnerabilities) are not for every wallet and if you want a brand new 0-day you must be able to pay up to $50.000.
This is the price at which the previously unidentified Adobe vulnerability is sold according to Malware analysts at Moscow-based forensics firm Group-IB, who have discovered it. The price is justified since this is really a “premium exploit”: in fact beginning with Reader X (June 2011), Adobe introduced a sandbox feature further enhanced in Adobe XI (only three weeks ago). The Sandbox is aimed at blocking the exploitation of previously unidentified security flaws and has proven to be particularly robust: Adobe claimed that since its introduction in Adobe Reader and Acrobat X, they have not seen any exploits in the wild capable of breaking out of it. At least until yesterday.
This makes this 0-day particularly meaningful… And expensive, even if it has some limitations (for example, cannot be fully executed until the user closes his Web browser, or Reader).
Of course cyber criminals did not waste time and Group-IB says the vulnerability is included in a new, custom version of the Blackhole Exploit Kit (apparently it has not been still included in the official version).
And Adobe? So far they have not received any details: “We saw the announcement from Group IB, but we haven’t seen or received any details. Adobe has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”