ARS Technica spreads word that Adobe's Reader is hit by a new exploit that manages to pierce the software's security sandbox. The site mentions that the particular exploit is available in underground forums for as much as $50,000, it affects both Reader X and Reader XI and is already incorporated into a custom version of the Blackhole Explot Kit.
Adobe says it's aware of the threat, the company reached out to Moscow-based forensics firm Group-IB to find out more information about the exploit, because without additional details, there's nothing Adobe can do beyond continuing to monitor the threat landscape.
The vulnerability affects both Reader X and its recently introduced successor, Reader XI. And it's already incorporated into a custom version of the Blackhole Exploit Kit according to Krebs. The reporter wrote the developer behind Blackhole said he is hoping to add the exploit to the main version of the kit soon. Criminal hackers fold Blackhole into already hacked websites to give them the ability to exploit a wide variety of vulnerabilities when end users visit the sites.
In an e-mail to Ars, an Adobe spokeswoman wrote: "We saw the announcement from Group IB, but we haven't seen or received any details. Adobe [Product Security Incident Response Team] has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape and working with our partners in the security community, as always."