A Critical Bug in Acrobat Reader 11 Windows Sandbox Unearthed

Windows users should updated to the lasted version of Acrobat reader, or risk falling prey to a security hole in Acrobat Reader 11 windows sandbox which could be exploited to gain higher privileges to compromised systems, according to reports from Google’s Project Zero initiative.

A critical security hole in Adobe’s Acrobat 11 windows sandbox could be exploited by malicious hackers to gain administrative rights of a compromised system according to latest reports from Google’s Project Zero researchers. “The Acrobat Reader Windows sandbox is vulnerable to NTFS junction attack to write an arbitrary file to the file system under user permissions. This could be used to break out of the sandbox leading to execution at higher privileges,” read Google’s security advisory.

James Forshaw, the security researcher, who discovered the vulnerability, described the flaw is a race condition in the handling of MoveFileEx call hook features in Acrobat 11, allowing a malicious hacker to circumvent the Sandbox protection mechanism and write malicious codes through an NTFS junction attack.

“While the function resolves the location of the source and destination and ensures they are within the policy, there is a timing race once the function calls into the MoveFileEx function in the broker. This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This allows code in the sandbox to write an arbitrary file to the file system,” wrote Forshaw.

The security flaw Acrobat 11 is similar to an earlier vulnerability in NtSetInformation File but it’s different in that it exploits a Time of Check Time of Use (TOCTOU) race in processing the file path rather than using Sandbox process.

“While this is similar to the previous reported issue with NtSetInformation File, it’s different in that it doesn’t rely on the bug in the processing of the file path instead exploits a TOCTOU race. It’s only possible in this case to race as it’s the broker which opens the file rather than the sandboxed process,” writes Forshaw. “It would probably be recommended to ensure that you cannot creation junctions ever, although this isn’t trivial in all cases where you passing back raw handles to the callee.”

Project zero is an initiative by Google aimed at cleaning up zero-day vulnerabilities in third party software. The project plays a crucial role in reducing the of zero-day attacks worldwide. Normally, discovered bugs are announced to the public after the expiry of a 90 day disclosure period, to give the manufacture time to release a patch. In this case, Adobe released the fix before the end of the 90 disclosure period on Nov 26.

Top/Featured Image: by Self taken via Wikipedia – https://en.wikipedia.org/wiki/File:Adobe_Acrobat_11_main_window_in_Windows_8.PNG#mediaviewer/File:Adobe_Acrobat_11_main_window_in_Windows_8.PNG

Lawrence Mwangi Lawrence is a technology and business reporter. He has freelanced for a number of tech sites and magazines. He is a web-enthusiast, with a special interest in Online security, Entrepreneurship and Innovation. When not writing about tech he can be found in a Tennis court or on a chess board.

1 thought on “A Critical Bug in Acrobat Reader 11 Windows Sandbox Unearthed”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.