HITBSecConf2017 Amsterdam (April 10th - 14th)
Register Online Now!
Adobe says Reader flaw can't be patched since security researchers who found it aren't cooperating
Earlier this month, we wrote about an alleged Adobe Reader 0-day security hole discovered by Group IB security researchers that allows an attacker to jump out of the sandbox and execute shellcode with the help of malformed PDF documents. At the time, the code was apparently already selling on the black market for “approximately 30 000 – 50 000 USD.” Adobe told us it was investigating, and the story hasn’t moved forward since, until now.
While doing my usual security scavenging on the Web, I stumbled upon this video, which shows two researchers successfully getting out of Adobe Reader’s sandbox (introduced in version 10, and of course still present in the latest version 11):