Currently, the exploit is sold only in closed circles on the black market

Nov 8, 2012 07:55 GMT  ·  By

Experts from cybercrime investigation company Group-IB have discovered that a zero-day vulnerability which affects Adobe Reader X and Adobe Reader XI is being sold on the black market for prices between $30,000 (€23,000) and $50,000 (€39,000).

According to researchers, the security hole – which has been integrated into a new modified version of the BlackHole exploit kit – allows attackers to execute their malicious commands by relying on specially crafted PDF documents.

Andrey Komarov, the head of international projects department of Group-IB, says that this bug is dangerous because it permits cybercriminals to run arbitrary shellcode by bypassing the sandbox feature integrated into the more recent versions of Adobe Reader.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document,” Komarov said.

“Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.”

Adobe representatives told Brian Krebs that they were not aware of the issue. They stated that they would reach out to Group IB to obtain additional details, but in the meantime, there was not much they could do about it, except for monitoring the threat landscape.

The author of the BlackHole exploit kit told Krebs that he was aware of the existence of the zero-day currently sold only in “small circles.” The developer claims that his kit doesn’t include the exploit yet, but he hopes to include it soon.

Group IB has published a proof-of-concept (POC) video on YouTube to demonstrate the existence of the zero-day: