Acrobat Reader Proper or Chrome's PDF reader?
Does anyone install acrobat anymore?
The Acrobat Reader Windows sandbox contains a vulnerability that could allow attackers to break out and gain higher privileges, Google security bod James Forshaw claims. The NTFS junction attack is a "race condition" in the handling of the MoveFileEx call hook Forshaw said. While unpatched, subsequent September updates made …
The full up application? Yes, it has some unique uses. However, neither it nor its red-headed step-child, are ever allowed to be the default. Swatting instances of reader crawling in as part of another install is actually more work than worthwhile, but the don't deserve any respect.
If you look at the instructions for the POC, it's evident that this sandbox escape requires one to have another exploit to provide execution of arbitrary code in the sandbox context. The POC doesn't bother and inserts sandbox escape code directly into a sandbox process with the WriteProcessMemory system call from an .EXE run manually on the local system.
Even then all it does is allow one to write a file within a non-system privilege context, presumably a .EXE or .DLL. Further effort is required to construct a file that will be executed somehow--and the exploit does not provide the registry access required to make that easy.
So if you are a state-sponsored baddie with a huge bag of tricks and lots of time and money, sure this is a useful item. If you're a Russian spam or bank-trojan gangster your time is better spent thinking up clever phishing gimmicks to ensnare the stupidest 1% (or even 10%--is truly amazing what people will click on).
Biting the hand that feeds IT © 1998–2020