Security researchers at FireEye recently discovered a zero-day vulnerability affecting the most recent version of Adobe Reader, 11.0.1, as well as some earlier versions. The attack is the first known in-the-wild exploit that allows a user to bypass the Adobe Reader sandbox, according to a separate confirmation by Kaspersky researchers.
FireEye's Yichong Lin, Thoufique Haq and James Bennett announced the exploit in a blog post, explaining that a successful implementation drops two DLLs. The first of these shows a fake error message and opens a decoy PDF document, while the second drops a callback component to communicate with a remote domain. Lin, Haq and Bennett said they are working with Adobe to confirm a fix is on the way and advised users to avoid opening any unknown PDF files until one is delivered.
FireEye's senior director of security research, Zheng Bu, told Threatpost that the attack is unusual and that its method of targeting a user is rare. He did not reveal additional details, nor did he confirm how the attack was being spread. While it has not been added to any popular exploit toolkits, it likely will be once the full details are disclosed.
Playing outside of the sandbox
The exploit is particularly notable for the fact that it is the first attack to compromise the Adobe Reader sandbox and thus may herald a new wave of incidents. While the software was one of the most targeted programs prior to its implementation of a sandbox mechanism in Adobe Reader, the feature has helped improve its security significantly, Bogdan Botezatu, a senior analyst at antivirus vendor BitDefender, told PCWorld. The appearance of an exploit that can circumvent the sandbox may signal a crucial blow to Adobe Reader's overall software security.
"We can confirm the existence of a malicious PDF in the wild that's successfully able to break out of Adobe Reader's sandbox," Roel Schouwenberg, senior security researcher at Kaspersky Lab, told Threatpost. "We've seen successful exploitation on a machine running Windows 7×64 and Adobe Reader 11.0.1."
PCWorld noted that there is currently no mitigation plan and advised extra caution. The publication also reported that the vulnerability could be quite valuable, adding that a previous exploit for Adobe Reader 10 and 11 was being sold on cybercriminal forums for prices as high as $50,000 in November. With new attacks emerging and the demand for exploits high, software vendors should take every precaution to avoid similar incidents. Using tools such as source code analysis, programmers can build better software security into the development process and minimize zero-day flaws.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.