Adobe Systems is investigating claims of a new zero-day exploit of its Reader software and browser plug-in. The exploit, which could let criminals remotely seize control of victims' machines, is already for sale for $50,000 in underground hacker marketplaces.
The exploit affects Windows machines running Adobe Reader versions 10 and 11, said the Russian security firm Group-IB, which publicized the vulnerability.
Andrey Komarov, head of international projects for the Moscow security company, said hackers were using the attack to sidestep Adobe Reader's sandboxing feature, a security measure that isolates an application from the rest of the operating system.
Group-IB said it has only seen the attack work on Windows machines and said the exploit was contingent upon victims closing the Reader or browser window.
While it works in Microsoft Internet Explorer and Mozilla Firefox, the exploit does not seem to work in Google's Chrome browser, which has its own set of safeguards.
Group-IB said the exploit is only being distributed in "small circles of the underground."
However, Group-IB also said the exploit had been added to a customized version of the Blackhole exploit kit, a widely distributed set of browser exploits commonly found for sale in online black markets.
According to security blogger Brian Krebs, Blackhole is "by far the most prevalent exploit in use today."
The author of the Blackhole exploit kit confirmed to Krebs that an Adobe Reader exploit was "being sold in closed circles" and that he planned to add it to the main Blackhole code.
Responding to a query from the tech blog Ars Technica, Adobe said it was aware of the problem.
"We saw the announcement from Group IB, but we haven't seen or received any details," Adobe said. "Adobe [Product Security Incident Response Team] has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately-beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."
Komarov told Computerworld that he had indeed shared details of the vulnerability with Adobe.
Most browsers use of Adobe plug-ins such as Reader to display PDFs and Flash Player to handle streaming video. Because the company's technology is so ubiquitous, any Adobe security problem has implications for hundreds of millions of computer users.
As Computerworld noted, Adobe has put off fixing known security vulnerabilities, touting its sandboxing feature as a sufficient defense. The ability for hackers to bypass that, however, may force Adobe to make a quick fix.
Adobe Reader came under attack near the end of last year when criminals took advantage of a flaw that caused systems to crash and gave them remote control. The company was criticized for not fixing the flaw fast enough.