Slashdot Mirror

← Back to Stories (view on slashdot.org)

$50,000 Zero-Day Exploit Evades Adobe's Sandbox, Say Russian Analysts

Posted by timothy on from the kicking-sand-in-your-face dept.

tsu doh nimh writes with this excerpt from Krebs on Security: "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they've discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X — Adobe introduced a 'sandbox' feature aimed at blocking the exploitation of previously unidentified security holes in its software, and until now that protection has held its ground. Adobe, meanwhile, says it has not yet been able to verify the zero-day claims."

18 of 56 comments (clear)

  1. Translating Roman Numerals... srsly??? by Anonymous Coward · · Score: 2

    Has the average IQ of /. readers dropped so low recently that it became necessary to translate Roman numerals??

    1. Re:Translating Roman Numerals... srsly??? by MightyYar · · Score: 5, Funny

      If you ask me, this site has been going downhill ever since they dropped Latin and started posting in English.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Translating Roman Numerals... srsly??? by MadChicken · · Score: 5, Funny

      They would have kept one numbering system for the whole article, but "Zero-day" would have been really tough.

      --
      SYS 64738 NO CARRIER
    3. Re:Translating Roman Numerals... srsly??? by guruevi · · Score: 3, Informative

      Adobe themselves does it. They have Acrobat X/XI on the marketing side but installation and license calls it Acrobat 10/11

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    4. Re:Translating Roman Numerals... srsly??? by FatdogHaiku · · Score: 4, Funny

      O tempora, o mores!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  2. not yet been able to verify the zero-day claims by fustakrakich · · Score: 5, Funny

    They can if they cough up 50 grand for a copy. By the way, is anybody getting sued for uploading a free torrent?

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:not yet been able to verify the zero-day claims by Terrasque · · Score: 2

      In that case, I also have one of those thingymajigs, and I'll sell it for only 48 grand! I'll even throw in a small bridge in the bargain, for free!

      --
      It's The Golden Rule: "He who has the gold makes the rules."
  3. Can't verify. by Anonymous Coward · · Score: 5, Funny

    Sorry, we cannot verify this zero-day exploit, the computer we tested it on isn't working right for some reason.

  4. This is Actually an Interesting Trend... by InvisibleClergy · · Score: 5, Insightful

    If I remember correctly, Flame was first identified by Kapersky, a Russian company. In this age wherein the US Government has a cyber-warfare division, it seems as though a large amount of the interesting, practical work in Computer Security is moving to Russia.

    1. Re:This is Actually an Interesting Trend... by Anonymous Coward · · Score: 4, Insightful

      Well since most of the interesting, practical work in Computer Insecurity is there as well, it makes sense.

    2. Re:This is Actually an Interesting Trend... by h0oam1 · · Score: 2

      Maybe the US cyber-warfare division CREATED flame, stuxnet, etc. That would probably make it undesirable to be the one to first 'identify' it.

  5. What is broken? the reader or the specs? by 140Mandak262Jamuna · · Score: 5, Insightful
    Adobe PDF and Flash are now the two most serious vectors for malware. Most of us have switched to foxit reader. But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist. In this case, is it the reader or the specs that is broken?

    High time people stop using the Adobe pdf reader, and disable the "active hyperlinks" in it if it cant be fully uninstalled. Just in case some malware manages to trick the browser into using the installed adobe reader overriding the preference to foxit reader.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:What is broken? the reader or the specs? by Derek+Pomery · · Score: 2

      Foxit has its vulnerabilities too, although it helps that it isn't as commonly used.

      While I do resort to Evince and if absolutely necessary, Adobe (usually just for some work form PDF), I've found that most of the time I can get by with the new PDF.js functionality in Firefox.

      http://hackademix.net/2011/12/07/hulk-want-pdfjs/
      https://github.com/mozilla/pdf.js/

      PDF.js plays nice w/ NoScript these days btw. It used to require whitelisting the site (ugh).

      --
      -- perl -e'print pack"H*","6e656d6f406d38792e6f7267"' /. ate my old sig. Bastards.
    2. Re:What is broken? the reader or the specs? by dkf · · Score: 2

      Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.

      Virtually all of those attacks are aimed at the code that integrates a Java runtime with a browser, as that's an extremely exposed part of the ecosystem. The plain old JRE is nowhere near as easy to attack (unless someone's running a moronic program, of course, but you can do that in any programming language except for ones you wouldn't use for anything serious at all) as it simply doesn't normally listen to the outside world. Other routes for doing Java things from a browser also tend to give me the willies (e.g., JNLP) but it's not really the "Java" that is the problem so much as the "run code where you can't be sure where it's from" and the alternatives aren't necessarily better.

      The truly hard part of security is that it is too often antagonistic to utility, and users will virtually always pick utility over security.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
  6. but wait, it gets worse by slashmydots · · Score: 5, Insightful

    In the new 11 version, you can no longer turn off the "view PDF in web browser" that basically frames it within your browser like a page without you ever approving it. So any rigged PDFs get loaded automatically. You used to be able to turn it off and only open PDFs via a file download prompt if a page is trying to serve one up.

    1. Re:but wait, it gets worse by Billly+Gates · · Score: 2

      It gets worse than that my friend. Reader X supports unsigned and unsandboxed flash embedded!

      So your browser will simply run it and run whatever code from an infected ad server without even your AV software being able to detect nor stop it before its too late.

      Someone needs to be fired over that. Oh wait Adobe outsourced the team to India. What could possibly go wrong??

      Get Foxit

      --
      http://saveie6.com/
  7. Re:Foxit people! by Anonymous Coward · · Score: 2, Informative

    I don't get it why people just go half the way from Acrobat to Foxit. Sumatra is Open Source, small, fast and, so far hasn't failed me for any PDFs I've tried (admittedly none were of the stupid javascript online validating form crap variety).

    Every IT pro should know about Sumatra.

  8. Re:Foxit people! by Emetophobe · · Score: 2

    You can change the yellow background using the -bg-color command line argument. For example: "C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe" -bg-color 0x444444

    It's described in the manual here.