Alleged 0day exploit for Adobe Reader in circulation
Moscow-based IT security firm Group-IB reports that the current versions of Adobe Reader contain a critical vulnerability that allows attackers to bypass the application's sandbox and inject malicious code into a system. Apparently, an exploit for the Black Hole attack framework is already available for purchase on underground forums – costing approximately $30,000 to $50,000.
In a video posted on YouTube, Group-IB demonstrates the vulnerability using the latest version of Reader XI (11.0); the series 10 versions are also thought to be vulnerable. All of Reader's relevant protective security features – including the sandbox – can be seen as being active in the video. Whether the specially crafted PDF document is executed directly in Reader or in a browser via the Reader plugin doesn't seem to make a difference.
Group-IB has not revealed the origin of the proof-of-concept demo exploit that is shown in the video or disclosed any other details concerning the hole – neither publicly, nor to Adobe. Talking to security blogger Brian Krebs, an Adobe spokesperson said that they haven't been able to verify Group-IB's allegations due to a lack of information. The company said that it now plans to take the initiative and "reach out" to the security firm.