Adobe Reader Has a Zero Day Security Issue That is Being Sold on the Web!

$50,000.00 for an exploit that allows an open exploit of your PC via Adobe Reader. Ouch. This is one reason I use Sumatra PDF!

Adobe investigating Reader X security hole allegedly selling on the black market for $50,000

Emil Protalinski of The Next Web, reports: “Just one day after Adobe patched flaws in its Flash Player software for Windows, OS X, Linux, and Android, Group IB security researchers claim to have discovered a 0-day security hole in Adobe Reader X which can execute shellcode with the help of malformed PDF-documents using specially crafted forms. Furthermore, the vulnerability code is already on sale on the black market for ‘approximately 30 000 – 50 000 USD’ although it’s apparently only being distributed in ‘small circles of the underground.’ For its part, Adobe says it is investigating.

Here’s the proof of concept (reportedly limited to Windows):

Andrey Komarov, the Head of International Projects Department of Group-IB, explains that the big deal is because the vulnerability allows you to jump out of the sandbox, which was first introduced in Adobe Reader X:

The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.

In other words, on its own it doesn’t amount to much. That being said, if this flaw is chained together with another one, and we all know problematic Adobe’s products have been in recent years when it comes to security, it won’t be pretty.

In fact, Group IB claims the vulnerability is already included in a new custom version of the Blackhole Exploit Kit, the most popular Web threat tool for distributing various other types of malware with the help of many different types of exploits. The official version, however, doesn’t have it, but it will soon, according to Brian Krebs.

Contacted via instant message, the author of the Black Hole exploit kit said today that he also had confirmed the existence of a private Adobe Reader exploit that was being sold in closed circles. He noted that although his kit currently does not include the exploit, he is hoping to acquire it and add it soon.

The thought of this alone makes me want to recommend that you avoid using Adobe Reader unless you absolutely have to (I personally use Foxit). At the very least, use an alternative until Adobe gets to the bottom of this.

Unfortunately, the company says it was not contacted by Group-IB and thus is unable to verify whether this 0-day exists. An Adobe spokesperson told The Next Web:

We saw the announcement from Group IB, but we haven’t seen or received any details. Adobe PSIRT has reached out to Group-IB. Without additional details, there is nothing we can do, unfortunately, beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.

Now we wait.”

DC Comics Makes a Deal for Digital Distribution

DC Comics DigitalAnthony Ha at Techcrunch has a neat article about DC Comics Deal on Digital Comics. This is the future! No more paper. Kinda makes me nostalgic though!

DC Comics Announces Deals To Sell Digital Comics In Big Three E-Bookstores, Says Digital Sales Have Grown 197%

“DC Comics is announcing the next big step in its digital plans today, saying it will sell monthly comics in the Kindle Store, iBookstore, and Nook Book Store.

The company wasn’t exactly missing from those stores before, because it was already selling graphic novels. However, if you wanted the newest content, delivered on a monthly basis, just as you would find in a comic book store, you had to turn to ComiXology — either the ComiXology app or the official DC app, which the Time Warner-owned publisher created in partnership with ComiXology.

Hank Kanalz, DC’s senior vice president of digital, told me that he wants comics to be available on any platform where readers want to find them. He added that by integrating with the big e-bookstores, DC is allowing fans to ‘watch their movies, read their prose and their comics all in one device, in one library.’

The comics publishers have also been pretty cagey about their digital sales numbers, but DC is releasing a few data points today. It says that for the year to date, digital comic sales are up 197 percent year-over-year. The growth on that front isn’t too surprising, since the company only fully embraced the ‘day-and-date’ model (where comics are released on the same date in both physical and digital stores) in September 2011, tying in with its ‘New 52’ initiative, which saw all of its titles reset to No. 1. At the same time, Kanalz said that growth hasn’t come at the cost of print, where sales grew 12 percent over the same period. (The data points from last year include the launch of the New 52, so the company says it’s even doing well compared to the initial boost from its revamped titles.)

The data seems to back up a claim that Kanalz was making a year ago, that digital sales should expand the audience rather than lure readers away from comic book stores. He also said he’s encountered readers who actually buy both forms — for example if they buy the single issues digitally but want to own a physical copy of the collection, or if they treat their physical copies as collector’s items while actually reading the digital issues.

Kanalz added that digital’s percentage of overall sales varies from title to title, though it’s usually somewhere between 10 and 40 percent. In general, digital sales tend to follow the same patterns as physical ones, so that the top sellers are the same on both sides, he said. There’s also a bump in sales a month later, when DC drops the price by a dollar.

Even though digital sales are growing, Kanalz (a former comics writer himself) said DC’s writers and artists are still focused on print: ‘I still think print rules the roost as far as storytelling goes.’ However, he pointed out that DC is also releasing digital-only comics, which allow the company to be a little more experimental and responsive. Current titles include Arrow (which ties in to the new TV show of the same name) and Legends of the Dark Knight (a Batman comic with a landscape layout that seems perfectly designed for the iPad).”