$50,000 Zero-Day Exploit Evades Adobe's Sandbox, Say Russian Analysts

← Back to Stories (view on slashdot.org)

$50,000 Zero-Day Exploit Evades Adobe's Sandbox, Say Russian Analysts

Posted by timothy on Thursday November 8, 2012 @02:28AM from the kicking-sand-in-your-face dept.

tsu doh nimh writes with this excerpt from Krebs on Security: "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they've discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X — Adobe introduced a 'sandbox' feature aimed at blocking the exploitation of previously unidentified security holes in its software, and until now that protection has held its ground. Adobe, meanwhile, says it has not yet been able to verify the zero-day claims."

56 comments

Min score:

Reason:

Sort:

Translating Roman Numerals... srsly??? by Anonymous Coward · 2012-11-08 02:32 · Score: 2

Has the average IQ of /. readers dropped so low recently that it became necessary to translate Roman numerals??
1. Re:Translating Roman Numerals... srsly??? by MightyYar · 2012-11-08 02:37 · Score: 5, Funny
  
  If you ask me, this site has been going downhill ever since they dropped Latin and started posting in English.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
2. Re:Translating Roman Numerals... srsly??? by MadChicken · 2012-11-08 02:38 · Score: 5, Funny
  
  They would have kept one numbering system for the whole article, but "Zero-day" would have been really tough.
  
  --
  SYS 64738 NO CARRIER
3. Re:Translating Roman Numerals... srsly??? by Anonymous Coward · 2012-11-08 02:42 · Score: 0
  
  That would be a " -day" exploit.
4. Re:Translating Roman Numerals... srsly??? by bobthesungeek76036 · 2012-11-08 02:45 · Score: 1
  
  Haven't you read the memo? And from now on, everyone must translate OSX (OS-10) when posting it's name...
  
  --
  Karma: Bad
5. Re:Translating Roman Numerals... srsly??? by guruevi · 2012-11-08 02:47 · Score: 3, Informative
  
  Adobe themselves does it. They have Acrobat X/XI on the marketing side but installation and license calls it Acrobat 10/11
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
6. Re:Translating Roman Numerals... srsly??? by Anonymous Coward · 2012-11-08 03:10 · Score: 1
  
  Reminds me of one of the direct to DVD/TV Revenge of the Nerds sequels, where the nerds' black fraternity leader wears his Malcolm the 10th hat.
7. Re:Translating Roman Numerals... srsly??? by FatdogHaiku · 2012-11-08 03:26 · Score: 4, Funny
  
  O tempora, o mores!
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
8. Re:Translating Roman Numerals... srsly??? by Anonymous Coward · 2012-11-08 03:28 · Score: 0
  
  Nope. Some theorize that OSX would translate to 11-7-10
9. Re:Translating Roman Numerals... srsly??? by Anonymous Coward · 2012-11-08 05:21 · Score: 0
  
  Oh Tempura, Oh S'mores!
10. Re:Translating Roman Numerals... srsly??? by Anonymous Coward · 2012-11-08 06:26 · Score: 0
  
  Acrobat 10/11. Hmm, you mean Acrobat 0.909?
11. Re:Translating Roman Numerals... srsly??? by Anonymous Coward · 2012-11-08 06:33 · Score: 0
  
  no no no.
  The X is a variable.
12. Re:Translating Roman Numerals... srsly??? by OhSoLaMeow · 2012-11-08 08:16 · Score: 1
  
  Except for on certain Pentium systems where it would be Acrobat 0.98964
  
  --
  They can take my LifeAlert pendant when they pry it from my cold dead fingers.
13. Re:Translating Roman Numerals... srsly??? by arglebargle_xiv · 2012-11-08 10:29 · Score: 1
  
  Some theorize that OSX would translate to 11-7-10
  You're looking at it all wrong, it's actually a smiley for a dipsomaniac cyclops.
not yet been able to verify the zero-day claims by fustakrakich · 2012-11-08 02:36 · Score: 5, Funny

They can if they cough up 50 grand for a copy. By the way, is anybody getting sued for uploading a free torrent?

--
“He’s not deformed, he’s just drunk!”
1. Re:not yet been able to verify the zero-day claims by Anonymous Coward · 2012-11-08 02:47 · Score: 1
  
  these are folks that will break a kneecap instead of a lawsuit. That may be more effective.
2. Re:not yet been able to verify the zero-day claims by Terrasque · 2012-11-08 02:56 · Score: 2
  
  In that case, I also have one of those thingymajigs, and I'll sell it for only 48 grand! I'll even throw in a small bridge in the bargain, for free!
  
  --
  It's The Golden Rule: "He who has the gold makes the rules."
3. Re:not yet been able to verify the zero-day claims by ifrag · 2012-11-08 03:42 · Score: 1
  
  Those purchasing it (assuming that anyone actually has) are probably interested in getting some use out of it. Anyone looking to preserve value in their investment will want as few eyes looking at this as possible.
  
  --
  Fear is the mind killer.
Can't verify. by Anonymous Coward · 2012-11-08 02:36 · Score: 5, Funny

Sorry, we cannot verify this zero-day exploit, the computer we tested it on isn't working right for some reason.
This is Actually an Interesting Trend... by InvisibleClergy · 2012-11-08 02:44 · Score: 5, Insightful

If I remember correctly, Flame was first identified by Kapersky, a Russian company. In this age wherein the US Government has a cyber-warfare division, it seems as though a large amount of the interesting, practical work in Computer Security is moving to Russia.
1. Re:This is Actually an Interesting Trend... by Anonymous Coward · 2012-11-08 02:51 · Score: 4, Insightful
  
  Well since most of the interesting, practical work in Computer Insecurity is there as well, it makes sense.
2. Re:This is Actually an Interesting Trend... by Anonymous Coward · 2012-11-08 03:15 · Score: 1
  
  Most interesting, practical work in Computer Insecurity... Do you mean Stuxnet, Flame, Duqu?
3. Re:This is Actually an Interesting Trend... by h0oam1 · 2012-11-08 03:23 · Score: 2
  
  Maybe the US cyber-warfare division CREATED flame, stuxnet, etc. That would probably make it undesirable to be the one to first 'identify' it.
4. Re:This is Actually an Interesting Trend... by InvisibleClergy · 2012-11-08 03:59 · Score: 1
  
  Yes, that's what I was implying. This also means it is important to have American antivirus companies around too, because there is a lot of cybercrime in Russia.
5. Re:This is Actually an Interesting Trend... by EdIII · 2012-11-08 11:20 · Score: 1
  
  Soooo... we are operating on the principle of "He who smelt it, dealt it" in foreign policy now?
What is broken? the reader or the specs? by 140Mandak262Jamuna · 2012-11-08 02:54 · Score: 5, Insightful

Adobe PDF and Flash are now the two most serious vectors for malware. Most of us have switched to foxit reader. But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist. In this case, is it the reader or the specs that is broken?
High time people stop using the Adobe pdf reader, and disable the "active hyperlinks" in it if it cant be fully uninstalled. Just in case some malware manages to trick the browser into using the installed adobe reader overriding the preference to foxit reader.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:What is broken? the reader or the specs? by Derek+Pomery · 2012-11-08 03:15 · Score: 2
  
  Foxit has its vulnerabilities too, although it helps that it isn't as commonly used.
  While I do resort to Evince and if absolutely necessary, Adobe (usually just for some work form PDF), I've found that most of the time I can get by with the new PDF.js functionality in Firefox.
  http://hackademix.net/2011/12/07/hulk-want-pdfjs/
  https://github.com/mozilla/pdf.js/
  PDF.js plays nice w/ NoScript these days btw. It used to require whitelisting the site (ugh).
  
  --
  -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
2. Re:What is broken? the reader or the specs? by iMouse · 2012-11-08 03:38 · Score: 1
  
  Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.
3. Re:What is broken? the reader or the specs? by ArcadeMan · 2012-11-08 03:40 · Score: 1
  
  I'm also wondering if Mac OS X and Preview are at risks, but as far as I know they're too "basic", i.e. dumb viewer only with no javascript and crap, so I'm guessing they're safer.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
4. Re:What is broken? the reader or the specs? by JDG1980 · 2012-11-08 03:47 · Score: 1
  
  But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist.
  I'd be interested to see more details on this. What part of the spec is broken? It also seems to contradict common experience: the overwhelming majority of exploits are Adobe Reader-only, and don't affect other PDF readers at all. Do these other readers just not follow the spec? Is there something in there ordering that Flash/Javascript/whatever must be executed without asking the user? Unless they did something that crazy, I'm not sure how a document display spec could have inherent security holes.
5. Re:What is broken? the reader or the specs? by dkf · 2012-11-08 03:50 · Score: 2
  
  Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.
  Virtually all of those attacks are aimed at the code that integrates a Java runtime with a browser, as that's an extremely exposed part of the ecosystem. The plain old JRE is nowhere near as easy to attack (unless someone's running a moronic program, of course, but you can do that in any programming language except for ones you wouldn't use for anything serious at all) as it simply doesn't normally listen to the outside world. Other routes for doing Java things from a browser also tend to give me the willies (e.g., JNLP) but it's not really the "Java" that is the problem so much as the "run code where you can't be sure where it's from" and the alternatives aren't necessarily better.
  The truly hard part of security is that it is too often antagonistic to utility, and users will virtually always pick utility over security.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
6. Re:What is broken? the reader or the specs? by NatasRevol · 2012-11-08 03:51 · Score: 1
  
  When 2.5 billion of those devices are dumb phones, no one cares if they're attacked.
  
  --
  There are two types of people in the world: Those who crave closure
7. Re:What is broken? the reader or the specs? by Anonymous Coward · 2012-11-08 07:09 · Score: 0
  
  It's been a joke around the office for a while, whenever we're setting up something with Java....'Java runs on over 3 billion devices....be afraid. Be very afraid.'
but wait, it gets worse by slashmydots · 2012-11-08 03:08 · Score: 5, Insightful

In the new 11 version, you can no longer turn off the "view PDF in web browser" that basically frames it within your browser like a page without you ever approving it. So any rigged PDFs get loaded automatically. You used to be able to turn it off and only open PDFs via a file download prompt if a page is trying to serve one up.
1. Re:but wait, it gets worse by Anonymous Coward · 2012-11-08 03:19 · Score: 0
  
  Good chance adobe deliberately has security holes in it since they work so closely with the DoD, either from the badguys or us wanting to spy on us. Double the chances. Shit like this is laughable. 99% of these forms could be done any other way. And primarily government forms is were adobe has its PDF market, businesses that are smart stick with their own proprietary formats.
2. Re:but wait, it gets worse by Anonymous Coward · 2012-11-08 03:24 · Score: 1
  
  businesses that are smart stick with their own proprietary formats.
  Yes, Stallman has been campaigning for people to do this for years.
3. Re:but wait, it gets worse by Billly+Gates · 2012-11-08 03:55 · Score: 2
  
  It gets worse than that my friend. Reader X supports unsigned and unsandboxed flash embedded!
  So your browser will simply run it and run whatever code from an infected ad server without even your AV software being able to detect nor stop it before its too late.
  Someone needs to be fired over that. Oh wait Adobe outsourced the team to India. What could possibly go wrong??
  Get Foxit
  
  --
  http://saveie6.com/
4. Re:but wait, it gets worse by Anonymous Coward · 2012-11-08 06:42 · Score: 0
  
  What if you disable the plug-in(s)?
5. Re:but wait, it gets worse by Anonymous Coward · 2012-11-08 08:13 · Score: 0
  
  Last I checked every browser worth it's salt allows you to disable the plugin (or ActiveX control, for mediocre browsers) used to display PDFs inline, netting the same download dialog...
6. Re:but wait, it gets worse by Anonymous Coward · 2012-11-08 15:07 · Score: 0
  
  Even better: use Evince: http://projects.gnome.org/evince/ or the Portable version:
  http://portableapps.com/apps/office/evince_portable
  Allows fill-in-the-form as well, runs on Windows and Linux
  I never had any problems with it
Thing I've wondered about with exploit sales... by Anonymous Coward · 2012-11-08 03:21 · Score: 1

How does the person paying $50,000 know he'll receive a working exploit and not, say, a .rar of the shareware version of Jill of the Jungle?
1. Re:Thing I've wondered about with exploit sales... by camcorder · 2012-11-08 04:19 · Score: 1
  
  Considering risk that person is putting himself in by this kind of purchase, $50k is nothing.
2. Re:Thing I've wondered about with exploit sales... by Anonymous Coward · 2012-11-08 06:26 · Score: 0
  
  Ripoffs certainly happen, as does stealing and reselling other people's tools etc, but basically sellers have to establish a reputation under a verified handle to do business. It's pretty similar to the situation on the silk road, except on obscure private forums and IRC networks with the participants proxying through 7 botnets.
3. Re:Thing I've wondered about with exploit sales... by Anonymous Coward · 2012-11-08 07:28 · Score: 0
  
  Considering the line of business of the potential buyer, who would want to have a broken knee cap or a few missing ribs to get $50k?
Foxit people! by Billly+Gates · 2012-11-08 03:48 · Score: 1

Adobe products are a security nightmare. It is 8 years behind even IE and XP! Just recently started signing apps? Just added a cutting edge feature called a sandbox a few months ago. Auto updates added just this year?? IE 7 had all of these.
No wonder hackers exploit this. It is a convenient way to byepass modern browser security that works across all platforms. No longer is it the case that using Firefox and going on familiar websites made you invincible. Just have unupdated flash or reader and BAM instant infection!
Anyway foxit does not execute code unless you tell it too. PDFs should only render data. Never execute flash or javascript! Flash can run without it being signed nor scanned by your AV or even sandboxed from within Reader X. Stupid. Whoever thought of that needs to be fired.
You can get Foxit from www.filehippo.com or ninite.com. Every IT professional should know about it.

--
http://saveie6.com/
1. Re:Foxit people! by Anonymous Coward · 2012-11-08 04:17 · Score: 2, Informative
  
  I don't get it why people just go half the way from Acrobat to Foxit. Sumatra is Open Source, small, fast and, so far hasn't failed me for any PDFs I've tried (admittedly none were of the stupid javascript online validating form crap variety).
  Every IT pro should know about Sumatra.
2. Re:Foxit people! by JDG1980 · 2012-11-08 05:11 · Score: 1
  
  I've tried Sumatra. Overall I like it, but I wish there was some way to get rid of the horrid yellow background. (Admittedly, you only see this if you don't have a document open.) Also, I do prefer Adobe Reader's choice of hand, text selector, and marquee zoom to Sumatra's method of only letting you use the hand if you're off the main page. And text rendering isn't quite as good in Sumatra, though that's due to the fact that it doesn't use the hacks that regular Windows text rendering does to look good on low-DPI LCDs, and it should go away once we finally get high-DPI desktop monitors in the mainstream.
3. Re:Foxit people! by Emetophobe · 2012-11-08 05:23 · Score: 2
  
  You can change the yellow background using the -bg-color command line argument. For example: "C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe" -bg-color 0x444444
  It's described in the manual here.
4. Re:Foxit people! by Billly+Gates · 2012-11-08 05:59 · Score: 1
  
  I have not used Sumatra. I think fighting over between the 2 is silly like fighting over Firefox or Chrome when IE is still at 6.
  I use Foxit because I am used to it. I ditched reader early last year and I needed something compatible with most PDFs and at the time FoxIT had broader compatibility. Yes Foxit does have javascript support which can be a security risk but it will not execute it without your permission first. Also the javascript is sandboxed too and you have to click an option to turn all of it on, unlike Reader. Foxit has plugins and more tools from the reviews I have read about Sumatra back in 2011.
  Maybe that has changed?
  But either or is better than Adobe. Integrating flash unsigned applets that your AV software can't read is inexecusable! Wow. Or a better idea could also be to use Chrome with its built-in PDF reader? I use FoxIT for many office workers because it looks like reader and is compatible iwth mostly everything.
  
  --
  http://saveie6.com/
5. Re:Foxit people! by Anonymous Coward · 2012-11-08 06:02 · Score: 0
  
  Foxit is free so if you are on Windows give it a try? Reader is simply dangerous as well as Flash. I find Foxit to be the most similar looking to Reader which is good for your users if you are in IT support like many slashdotters who are.
Adobe Software = Joke by Anonymous Coward · 2012-11-08 05:17 · Score: 0

I'm starting to wonder if Adobe even makes credible software these days. It's nice to be able to read documents and watch animations but do we really need all this software that seems to want to update twice a week and has a new security hole every month? How can development practice be so bad that we've ended up here? This just validates my idea that any piece of software on a PC needs to be the Windows OS or Microsoft code, and not vendor installed crap and bloat. I wouldn't trust them to write a "Hello World" app without at least 400 buffer exploits.
Alternatively, switch to Linux and avoid the whole problem.
Way more complex than needed by BryanWhyte · 2012-11-08 08:24 · Score: 1

As one who has used Adobe Reader since 3.0, it really is hard to comprehend why this product continues to advance in complexity. Are there strong numbers of users out there really using the advance features of Adobe X?
No by Anonymous Coward · 2012-11-08 09:33 · Score: 0

PDF is itself absolutely no security risk. It's wholly the crappy parsers/renderers. And the ability to include other insecure formats such as Flash. But nobody forces a viewer to spawn a Flash player and proper viewers such as evince just don't do that.