0-Day Exploit Bypasses Adobe Reader Sandbox

A youtube video¬†demonstrates an attack against Adobe’s PDF Reader – something that used to be completely mainstream, boring. But what makes this interesting is that it also bypasses the Adobe Reader sandbox, based on the sandbox used by Google Chrome, and the exploit doesn’t rely on Javascript.

Adobe Reader implemented a sandbox of similar architecture to Google Chrome, using a low integrity process to handle untrusted code and a broker process to make security decisions. This attack bypasses the Adobe Reader sandbox entirely and, unlike most Adobe Reader exploits, doesn’t require JavaScript to work.

Attacks like this are likely to become more common. As programs make use of sandboxes it becomes necessary for attackers to break out of those sandboxes to further monetize the system.

Adobe Reader has always been a popular program to exploit due to the nature of PDF and the popularity of the software. It seems attackers aren’t giving up just because of a sandbox, though it’s clear that the Adobe Reader Sandbox has reduced attacks in the wild.

The exploit, which is being sold on the black market for 30,000-50,000 dollars is already incorporated into the popular Blackhole Exploit Kit. Blackhole Exploit Kit is a very popular way for attackers to distribute malware such as Zeus (a popular piece of malware that steals bank info) so it’s best to be wary while opening PDFs until a patch is out.

For protection against this exploit I suggest setting up EMET. Click here to read how.


Update: Adobe is now in contact with Group-IB and hopefully there will be a fix out soon.