back to article Adobe Reader sandbox popped says Google researcher

The Acrobat Reader Windows sandbox contains a vulnerability that could allow attackers to break out and gain higher privileges, Google security bod James Forshaw claims. The NTFS junction attack is a "race condition" in the handling of the MoveFileEx call hook Forshaw said. While unpatched, subsequent September updates made …

  1. P. Lee

    Acrobat Reader Proper or Chrome's PDF reader?

    Does anyone install acrobat anymore?

    1. Anonymous Coward
      Anonymous Coward

      Re: Acrobat Reader Proper or Chrome's PDF reader?

      The full up application? Yes, it has some unique uses. However, neither it nor its red-headed step-child, are ever allowed to be the default. Swatting instances of reader crawling in as part of another install is actually more work than worthwhile, but the don't deserve any respect.

  2. Anonymous Coward
    Anonymous Coward

    Yet another reason to not use Adobe products

    There, fixed that for you.

    1. Anonymous Coward
      Anonymous Coward

      Just the most popular therefore bigger target.

  3. Anonymous Coward
    Anonymous Coward

    Warning: mildly sexist content

    Its legendary number of vulnerabilities and incessant stream of patches has even passed into popular speak as a simile for a difficult female partner: "she was more high-maintenance than Acrobat Reader".

  4. Al_21

    I want my reader to read

    It's in the name

  5. Anonymous Coward
    Anonymous Coward

    by itself, not exciting

    If you look at the instructions for the POC, it's evident that this sandbox escape requires one to have another exploit to provide execution of arbitrary code in the sandbox context. The POC doesn't bother and inserts sandbox escape code directly into a sandbox process with the WriteProcessMemory system call from an .EXE run manually on the local system.

    Even then all it does is allow one to write a file within a non-system privilege context, presumably a .EXE or .DLL. Further effort is required to construct a file that will be executed somehow--and the exploit does not provide the registry access required to make that easy.

    Anyone with a shred of common sense will have Reader configured with JavaScript disabled (who in their right mind wants dancing text and graphics anyway?), the "Enable Enhanced Security" box checked, and "Legacy/Trust Manager" set to distrust everything--good luck getting arbitrary code execution.

    So if you are a state-sponsored baddie with a huge bag of tricks and lots of time and money, sure this is a useful item. If you're a Russian spam or bank-trojan gangster your time is better spent thinking up clever phishing gimmicks to ensnare the stupidest 1% (or even 10%--is truly amazing what people will click on).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like