0-Day Exploit Bypasses Adobe Reader Sandbox

A youtube video demonstrates an attack against Adobe’s PDF Reader – something that used to be completely mainstream, boring. But what makes this interesting is that it also bypasses the Adobe Reader sandbox, based on the sandbox used by Google Chrome, and the exploit doesn’t rely on Javascript.

Adobe Reader implemented a sandbox of similar architecture to Google Chrome, using a low integrity process to handle untrusted code and a broker process to make security decisions. This attack bypasses the Adobe Reader sandbox entirely and, unlike most Adobe Reader exploits, doesn’t require JavaScript to work.

Attacks like this are likely to become more common. As programs make use of sandboxes it becomes necessary for attackers to break out of those sandboxes to further monetize the system.

Adobe Reader has always been a popular program to exploit due to the nature of PDF and the popularity of the software. It seems attackers aren’t giving up just because of a sandbox, though it’s clear that the Adobe Reader Sandbox has reduced attacks in the wild.

The exploit, which is being sold on the black market for 30,000-50,000 dollars is already incorporated into the popular Blackhole Exploit Kit. Blackhole Exploit Kit is a very popular way for attackers to distribute malware such as Zeus (a popular piece of malware that steals bank info) so it’s best to be wary while opening PDFs until a patch is out.

For protection against this exploit I suggest setting up EMET. Click here to read how.


Update: Adobe is now in contact with Group-IB and hopefully there will be a fix out soon.

Java Zero-Day Out In The Wild

Another Java vulnerability is being exploited out in the open internet. It should work against all currently patched versions of Java and there is no patch out for it yet.

Without knowing the details of the exploit I can’t say how something like EMET would change things – if it’s  trying to spawn shell or use a buffer overflow EMET will help, if it’s just a sandbox escape it won’t. I still recommend you use EMET to be safe. Otherwise for Windows users the best you can do is try to stay away from shady sites, don’t let Java run on a website you don’t absolutely trust, and patch as soon as you can.

Linux users can use AppArmor to sandbox Java, this is the most effective way to stay secure against an attack like this. The exploit drops a payload, which then executes. AppArmor would stop this in a lot of ways – preventing the initial write, preventing the payload execution, etc. Even if the second payload launched or if the attacker worked exclusively from their initial .class they’d be very limited.