Some of you have undoubtedly heard the big news in the exploit world this week. There is a new Adobe Reader/Acrobat exploit in the wild that bypasses ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), and, most importantly, the sandbox (“Protected Mode“) that was introduced in Adobe Reader X. Adobe confirmed the critical-rated vulnerabilities as CVE-2013-0640, and CVE-2013-0641 on Wednesday night, February 13, 2013. The vulnerability applies to versions 11.0.01 and earlier (XI), 10.1.5 and earlier (X), and 9.5.3 (9) and earlier. There is no fix available as of the time of this writing.
The exploit does not defeat “Protected View” that was introduced in Adobe Reader XI. However, it does not need to because Protected View is disabled by default. It is highly recommended to all Adobe users to enable Protected View as described in the Adobe link below. The exploit uses ROP (Return Oriented Programming) as one would expect to get around the standard defenses, and employs several anti-analysis mechanisms such as TLS (Thread Local Storage) callbacks and fake Export Table entries.
This news is particularly important because there have been no confirmed Adobe sandbox bypasses ever published, until now. Some readers may note that “Group IB” (a group based out of Russia) claimed to have a sandbox escape in November 2012 when they posted a tantalizing video of Adobe Reader XI being exploited http://www.youtube.com/watch?v=uGF8VDBkK0M. However, that particular end-to-end exploit is seeming more like vaporware every month that passes without independent confirmation.
Adobe CVE Report:
FireEye has published a partial technical description of some of the shellcode from the in-the-wild exploit. FireEye has withheld full details for now at Adobe’s request.
UPDATE: Adobe has released a patch for CVE-2013-0640 and CVE-2013-0641 as of Wednesday, February 20, 2013. You can find the security bulletin here: http://www.adobe.com/support/security/bulletins/apsb13-07.html.