Adobe Systems is responding to reports of a critical zero-day exploit being sold in the criminal underground that targets a zero-day flaw in Adobe Reader X.
According to company spokesperson Wiebke Lips, the software maker has reached out to Group-IB, a Russian-based cybercrime investigation company that discovered the exploit for sale and is apparently available in a custom version of the notorious Black Hole attack toolkit. Adding the exploit to the automated toolkit makes the potential for widespread attacks greater, say experts.
"We are now in communication with Group IB so we can make a determination whether or not this is in fact a vulnerability and a sandbox bypass," Lips said. "Without additional details, and in particular a sample, there is nothing we can do, unfortunately -- beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."
The exploit is able to weaken the security of computers running the latest versions of Adobe Reader, Adobe X and XI, by evading sandbox protection in the programs, which was first implemented by the software company in 2010, according to Group-IB. The first report of the zero-day came earlier this week by Brian Krebs of Krebs on Security.
The sandboxing technology implemented by Adobe, wraps its Reader software in a protective layer, intended to keep malicious code from breaking out onto a victim's machine. "Adobe has made great steps in mitigating the attacks against the PDF reader by implementing sandboxing, but, if the report has it right, then these counter-measures are all in vain, since the exploit can easily bypass the sandbox," said Catalin Cosoi, chief security strategist at Romanian antivirus provider Bitdefender.
The attack has only been successfully tested on Adobe Reader installed on Microsoft Windows. Proof of concept of the zero-day was posted on YouTube by Group-IB. The exploit executes its own shellcode with help of deformed PDF-documents, according to a report on Group IB's webisite. Black Hole is used to distribute banking Trojans such as Zeus, Spyeye, Carberp and Citadel with the help of vulnerabilities in client-side software.
"[This] means that anyone who gets infected has a strong chance of having their accounts depleted," Cosoi said in an email to SearchSecurity.com.
The exploit is being sold on the black market for prices between $30,000 and $50,000, however, Group IB reports that so far it is only circulating among a small number of members of the cybercrime community. Enterprises have the most reason to worry about this vulnerability, Cosoi said, because they often allow PDF files through the corporate firewall by default.
"Any computer user who opens a PDF file rigged with the exploit can inadvertently install a backdoor at the network level, through which the attackers can gain access to company data, intellectual property, customer information or technological processes," Cosoi said.
According to Andrey Komarov, head of the international projects department of Group-IB, one limitation of the vulnerability is that it can only successfully be exploited once the user closes and restarts the browser.