As Adobe noted in its September security update for Acrobat and Reader on Windows, version 11.0.8 of the two programmes was vulnerable to a sandbox bypass that could allow an attacker to run native code with escalated privileges on Windows. US-CERT gave it a severity rating of 10.

The bug was discovered by James Forshaw, a security researcher in Google’s Project Zero initiative. Forshaw has now released further details of the flaw, making it more important for Windows users to update to version 11.0.9 of Acrobat and Reader, since attackers can use the information to devise an attack for the vulnerability. Details released this week include a proof of concept exploit, source code, and pre-compiled binaries.

Project Zero is part of Google’s effort to clean up widely-used third-party software with the aim of reducing the number of people potentially harmed by zero-day attacks. The program is separate to its own bug bounty program for researchers who report flaws in Google software.

Flaws discovered by the Project Zero team are housed in an external database and are kept under wraps until the vendor of the affected product issues a patch for it, or 90 days after it was reported to the vendor. In this case, Adobe has released a

Read Full Article at ZDNET