Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Software

$50,000 Zero-Day Exploit Evades Adobe's Sandbox, Say Russian Analysts 56

tsu doh nimh writes with this excerpt from Krebs on Security: "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they've discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X — Adobe introduced a 'sandbox' feature aimed at blocking the exploitation of previously unidentified security holes in its software, and until now that protection has held its ground. Adobe, meanwhile, says it has not yet been able to verify the zero-day claims."
This discussion has been archived. No new comments can be posted.

$50,000 Zero-Day Exploit Evades Adobe's Sandbox, Say Russian Analysts

Comments Filter:
  • by Anonymous Coward

    Has the average IQ of /. readers dropped so low recently that it became necessary to translate Roman numerals??

  • by fustakrakich ( 1673220 ) on Thursday November 08, 2012 @09:36AM (#41918119) Journal

    They can if they cough up 50 grand for a copy. By the way, is anybody getting sued for uploading a free torrent?

    • by Anonymous Coward

      these are folks that will break a kneecap instead of a lawsuit. That may be more effective.

    • In that case, I also have one of those thingymajigs, and I'll sell it for only 48 grand! I'll even throw in a small bridge in the bargain, for free!

    • by ifrag ( 984323 )
      Those purchasing it (assuming that anyone actually has) are probably interested in getting some use out of it. Anyone looking to preserve value in their investment will want as few eyes looking at this as possible.
  • by Anonymous Coward on Thursday November 08, 2012 @09:36AM (#41918121)

    Sorry, we cannot verify this zero-day exploit, the computer we tested it on isn't working right for some reason.

  • by InvisibleClergy ( 1430277 ) on Thursday November 08, 2012 @09:44AM (#41918219)

    If I remember correctly, Flame was first identified by Kapersky, a Russian company. In this age wherein the US Government has a cyber-warfare division, it seems as though a large amount of the interesting, practical work in Computer Security is moving to Russia.

    • by Anonymous Coward on Thursday November 08, 2012 @09:51AM (#41918299)

      Well since most of the interesting, practical work in Computer Insecurity is there as well, it makes sense.

      • by Anonymous Coward

        Most interesting, practical work in Computer Insecurity... Do you mean Stuxnet, Flame, Duqu?

    • by h0oam1 ( 533917 )
      Maybe the US cyber-warfare division CREATED flame, stuxnet, etc. That would probably make it undesirable to be the one to first 'identify' it.
      • Yes, that's what I was implying. This also means it is important to have American antivirus companies around too, because there is a lot of cybercrime in Russia.

      • by EdIII ( 1114411 )

        Soooo... we are operating on the principle of "He who smelt it, dealt it" in foreign policy now?

  • by 140Mandak262Jamuna ( 970587 ) on Thursday November 08, 2012 @09:54AM (#41918335) Journal
    Adobe PDF and Flash are now the two most serious vectors for malware. Most of us have switched to foxit reader. But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist. In this case, is it the reader or the specs that is broken?

    High time people stop using the Adobe pdf reader, and disable the "active hyperlinks" in it if it cant be fully uninstalled. Just in case some malware manages to trick the browser into using the installed adobe reader overriding the preference to foxit reader.

    • Foxit has its vulnerabilities too, although it helps that it isn't as commonly used.

      While I do resort to Evince and if absolutely necessary, Adobe (usually just for some work form PDF), I've found that most of the time I can get by with the new PDF.js functionality in Firefox.

      http://hackademix.net/2011/12/07/hulk-want-pdfjs/ [hackademix.net]
      https://github.com/mozilla/pdf.js/ [github.com]

      PDF.js plays nice w/ NoScript these days btw. It used to require whitelisting the site (ugh).

    • by iMouse ( 963104 )

      Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.

      • by dkf ( 304284 )

        Adobe Reader and Flash were previously the largest attack vectors...Java is by far #1 and has been for the last few years. Since Sun/Oracle states "Java Runs on 3 Billion Devices" and that a large chunk of those devices will never or rarely see a patch, it has been a HUGE painted target lately.

        Virtually all of those attacks are aimed at the code that integrates a Java runtime with a browser, as that's an extremely exposed part of the ecosystem. The plain old JRE is nowhere near as easy to attack (unless someone's running a moronic program, of course, but you can do that in any programming language except for ones you wouldn't use for anything serious at all) as it simply doesn't normally listen to the outside world. Other routes for doing Java things from a browser also tend to give me the willie

      • When 2.5 billion of those devices are dumb phones, no one cares if they're attacked.

    • I'm also wondering if Mac OS X and Preview are at risks, but as far as I know they're too "basic", i.e. dumb viewer only with no javascript and crap, so I'm guessing they're safer.

    • But I learnt that some of the security holes are actually in the pdf spec itself, and whatever $reader you are using, if it is faithful to the specs, the vulnerability will exist.

      I'd be interested to see more details on this. What part of the spec is broken? It also seems to contradict common experience: the overwhelming majority of exploits are Adobe Reader-only, and don't affect other PDF readers at all. Do these other readers just not follow the spec? Is there something in there ordering that Flash/Ja

  • by slashmydots ( 2189826 ) on Thursday November 08, 2012 @10:08AM (#41918441)
    In the new 11 version, you can no longer turn off the "view PDF in web browser" that basically frames it within your browser like a page without you ever approving it. So any rigged PDFs get loaded automatically. You used to be able to turn it off and only open PDFs via a file download prompt if a page is trying to serve one up.
    • It gets worse than that my friend. Reader X supports unsigned and unsandboxed flash embedded!

      So your browser will simply run it and run whatever code from an infected ad server without even your AV software being able to detect nor stop it before its too late.

      Someone needs to be fired over that. Oh wait Adobe outsourced the team to India. What could possibly go wrong??

      Get Foxit

  • How does the person paying $50,000 know he'll receive a working exploit and not, say, a .rar of the shareware version of Jill of the Jungle?

  • Adobe products are a security nightmare. It is 8 years behind even IE and XP! Just recently started signing apps? Just added a cutting edge feature called a sandbox a few months ago. Auto updates added just this year?? IE 7 had all of these.

    No wonder hackers exploit this. It is a convenient way to byepass modern browser security that works across all platforms. No longer is it the case that using Firefox and going on familiar websites made you invincible. Just have unupdated flash or reader and BAM instant

    • Re: (Score:2, Informative)

      by Anonymous Coward

      I don't get it why people just go half the way from Acrobat to Foxit. Sumatra is Open Source, small, fast and, so far hasn't failed me for any PDFs I've tried (admittedly none were of the stupid javascript online validating form crap variety).

      Every IT pro should know about Sumatra.

      • I've tried Sumatra. Overall I like it, but I wish there was some way to get rid of the horrid yellow background. (Admittedly, you only see this if you don't have a document open.) Also, I do prefer Adobe Reader's choice of hand, text selector, and marquee zoom to Sumatra's method of only letting you use the hand if you're off the main page. And text rendering isn't quite as good in Sumatra, though that's due to the fact that it doesn't use the hacks that regular Windows text rendering does to look good on l

        • You can change the yellow background using the -bg-color command line argument. For example: "C:\Program Files (x86)\SumatraPDF\SumatraPDF.exe" -bg-color 0x444444

          It's described in the manual here [kowalczyk.info].

          • I have not used Sumatra. I think fighting over between the 2 is silly like fighting over Firefox or Chrome when IE is still at 6.

            I use Foxit because I am used to it. I ditched reader early last year and I needed something compatible with most PDFs and at the time FoxIT had broader compatibility. Yes Foxit does have javascript support which can be a security risk but it will not execute it without your permission first. Also the javascript is sandboxed too and you have to click an option to turn all of it on

  • As one who has used Adobe Reader since 3.0, it really is hard to comprehend why this product continues to advance in complexity. Are there strong numbers of users out there really using the advance features of Adobe X?

Utility is when you have one telephone, luxury is when you have two, opulence is when you have three -- and paradise is when you have none. -- Doug Larson

Working...