Criminals have gained access to a newly discovered flaw in Adobe’s Reader X program that can beat its sandboxing security isolation technology, Russian security firm Group-IB has claimed.
According to brief details posted on the company’s site, the zero-day vulnerability is now circulating in new versions of the notorious Blackhole Exploit Kit, the most significant distribution system for a host of malware types, including bank Trojans such as SypeEye and Zeus.
The fact that even patched versions of Reader X will be vulnerable to the flaw explains the reported price paid for knowledge of its workings, said to $30,000 to $50,000.
“For now this flaw is distributed only in only small circles of the underground but it has the potential for much larger post-exploitation methods,” noted Andrey Komarov of the Russian firm.
First released in 2010, Reader X’s sandbox was designed to tighten up the woeful security that had afflicted the program until that point. It has largely succeeded, so much so that the sandboxing has been extended to programs such as Flash Player.
What isn’t clear is whether the sandbox vulnerability includes even recently-enhanced versions of the technology.
Adobe's Product Security Incident Response Team (PSIRT) has yet to respond to the flaw report.