Back in November 2012, Group IB claimed to have found a zero-day vulnerability that affected Adobe Reader X/XI. Adobe has addressed some security holes, but it’s uncertain if they’re related because the company has never received a detailed proof-of-concept.At the time, Group IB said the zero-day – which was sold on the underground markets for prices between $30,000 (€23,000) and $50,000 (€39,000) – could be used to bypass the sandbox and execute arbitrary code.
They’ve promised to provide Adobe with more details, but so far, they haven’t.
According to Threat Post, Adobe attempted to determine the root cause of the vulnerability, but since it didn’t have all the details, the task wasn’t easy.
Initially, the company believed that it might have been related to a process termination, the LogTransport2 utility, a validation error, or possibly registry-related.
However, after some time, Group-IB provided them with the video published by independent researcher Kris Kaspersky. The security firm told them that the flaw was caused by malformed data.
In addition, Kaspersky referenced a Metaspoilt module and explained that it was a use-after-free issue that affected only Windows XP.
Adobe went with the race condition theory and addressed a bug it had found, but without the proof-of-concept, they couldn’t be certain if it was the right one.
“We still don’t know whether the bug we fixed is the same race condition Kris Kasperski was talking about. All we got in the end was the name of the Metasploit module, and this module cannot be used in isolation to bypass the sandbox. We don’t know if a second bug is being used because the vulnerability has not been shared,” said David Lenoe, Adobe PSIRT group manager.
On one hand, it’s a good thing that Adobe was forced to dig deeper into the sandbox. On the other hand, without the complete details, there’s a chance that the vulnerability presented in the video still remains unaddressed.