Back in November, security researchers from Russian security firm Group-IB reported that an exploit for Adobe Reader 10 and 11 was being sold on cyber criminal forums for between $30,000 and $50,000. The exploit's existence was not confirmed by Adobe at the time.
"Before the introduction of the sandbox, Adobe Reader was one of the most targeted third-party applications by cyber criminals," Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender, said Wednesday via email. "If this is confirmed, the discovery of a hole in the sandbox will be of crucial importance and will definitely become massively exploited by cybercriminals."
Botezatu believes that bypassing the Adobe Reader sandbox is a difficult task, but he expected this to happen at some point because the large number of Adobe Reader installations makes the product an attractive target for cyber criminals. "No matter how much companies invest in testing, they still can't ensure that their applications are bug free when deployed on production machines," he said.
Unfortunately Adobe Reader users don't have many options to protect themselves if a sandbox bypassing exploit actually exists, except for being extremely careful of what files and links they open, Botezatu said. Users should update their installations as soon as a patch becomes available, he said.