Group-IB US: Zero-day vulnerability found in Adobe X

By Asrokhel
in Back Page News

 Share

Recommended Posts

Mentor

Asrokhel

Posted
Posted

NEW YORK ? There is new vulnerability in Adobe X which helps to execute its own shellcode with help of malformed PDF-documents with specially crafted forms.

The vulnerability is also included in new modified version of "Blackhole Exploit-Kit?, which is used for the distributing the banking Trojans (Zeus, Spyeye, Carberp, Citadel) with the help of exploitation different vulnerabilities in client-side software.

Andrey Komarov, the Head of International Projects Department of Group-IB: ?The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.?.

The end price on this vulnerability on black market is approximately 30 000 ? 50 000 USD. For now this flaw is distributed only in only small circles of the underground but it has the potential for much larger post-exloitation methods.

Dan Clements, Managing Partner of Group-IB US: ?As more and more of these unpatchable zero day threats pop up in application software and operating systems, it provides bot authors more opportunities to design more creative methods to get their malware loaded into a victims computer?.

The POC of the zero-flaw found in Adobe X was published in YouTube by Group-IB US threat intelligence team:

About Group-IB

Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. Group-IB is part of LETA Group.

http://www.group-ib....ound-in-adobe-x

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • EA launches in-game advertising platform for brands to "connect with audiences"

      By Big John Studd · Posted

      Yeah, this is absolutely nothing new and EA have done it before. Burnout Paradise, released in 2008, had dynamic advertising billboards that were updated via the internet and targeted people based on location and what EA knew about them from their profile. It was particularly notable for the fact that the Obama presidential campaign ran ads in the game, in an attempt to reach a younger audience who didn't watch broadcast TV any more. It was by no means the first though. Battlefield 2142 from 2006 had the same thing. In fact, Neowin wrote a story about it back then. https://www.neowin.net/news/ba...-in-game-ads-clarification/
    • Apple MacBook Neo is a blessing for Windows users, here's why

      By Kravex · Posted

      This is obviously aimed at the education where Apple has lost so much ground to Chromebooks in the last few years, but unless they come up with a comparable management system for education why would anyone switch back?
    • Samsung is shutting down yet another app used by millions

      By David Uzondu · Posted

      Here's how we arrived at that claim: Note that this is just Play Store downloads. The app is also available on the Galaxy App Store
    • Samsung is shutting down yet another app used by millions

      By +Edouard · Posted

      Google Play states the app had more than 50 million downloads. What other metric do you suggest should be used?
    • what other retro software do yall use

      By +InsaneNutter · Posted

      MSN defined our generation in some ways, kind of like Snapchat and TikTok have done for future generations. I have great memories of the MSN era in the late 90s / early 2000s. In the UK everyone seemed to come home from School and go on MSN for the evening. We didn't really have mobile phones then, so other than going and knocking on your friends door it was a totally new way of interacting with people. I also loved how I could talk to people I’d met playing online games from around the world. Inviting people to NetMeeting and messing about with the shared white board and webcams was pretty fun, even if webcams only ran at a couple of fps over dial-up. All the random things you could do with MsgPlus! were really fun - I suspect that made a few people jump with /shello randomly blasting Mr Hankey out their speakers! Maybe I’m just nostalgic, however I do feel the internet and computers were more fun back then.

  • Recent Achievements

    • One Year In
      Console General earned a badge
      One Year In
    • One Year In
      Twozo Technologies earned a badge
      One Year In
    • One Month Later
      Twozo Technologies earned a badge
      One Month Later
    • Week One Done
      Twozo Technologies earned a badge
      Week One Done
    • Veteran
      branfont went up a rank
      Veteran

  • Popular Contributors

    1. 1
      +primortal
      531
    2. 2
      +Edouard
      206
    3. 3
      PsYcHoKiLLa
      132
    4. 4
      Steven P.
      90
    5. 5
      neufuse
      75
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!