Adobe Reader sandbox popped says Google researcher

Yet another reason to not use Adobe products

There, fixed that for you.

Warning: mildly sexist content

Its legendary number of vulnerabilities and incessant stream of patches has even passed into popular speak as a simile for a difficult female partner: "she was more high-maintenance than Acrobat Reader".

I want my reader to read

It's in the name

by itself, not exciting

If you look at the instructions for the POC, it's evident that this sandbox escape requires one to have another exploit to provide execution of arbitrary code in the sandbox context. The POC doesn't bother and inserts sandbox escape code directly into a sandbox process with the WriteProcessMemory system call from an .EXE run manually on the local system.

Even then all it does is allow one to write a file within a non-system privilege context, presumably a .EXE or .DLL. Further effort is required to construct a file that will be executed somehow--and the exploit does not provide the registry access required to make that easy.

Anyone with a shred of common sense will have Reader configured with JavaScript disabled (who in their right mind wants dancing text and graphics anyway?), the "Enable Enhanced Security" box checked, and "Legacy/Trust Manager" set to distrust everything--good luck getting arbitrary code execution.

So if you are a state-sponsored baddie with a huge bag of tricks and lots of time and money, sure this is a useful item. If you're a Russian spam or bank-trojan gangster your time is better spent thinking up clever phishing gimmicks to ensnare the stupidest 1% (or even 10%--is truly amazing what people will click on).