{"id":22285,"date":"2013-02-20T17:37:06","date_gmt":"2013-02-21T01:37:06","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=22285"},"modified":"2025-05-29T03:38:38","modified_gmt":"2025-05-29T10:38:38","slug":"digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/","title":{"rendered":"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit"},"content":{"rendered":"<p>As promised in our previous <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/analyzing-the-first-rop-only-sandbox-escaping-pdf-exploit\">blog entry<\/a> for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader &#8220;sandbox-escape&#8221; plan. In order to help readers understand what\u2019s going on there, we first need to provide some background.<\/p>\n<h2><b>Adobe Reader\u2019s Sandbox Architecture<\/b><\/h2>\n<p>The Adobe Reader sandbox consists of two processes: a high-privilege broker process and a sandboxed renderer process; the latter is responsible for rendering the PDF document. Please see <a href=\"http:\/\/blogs.adobe.com\/asset\/2010\/10\/inside-adobe-reader-protected-mode-part-1-design.html\">Adobe\u2019s ASSET blog<\/a>\u00a0for an illustration of the sandbox architecture.<\/p>\n<p>The renderer process has restricted read\/write access to the file system, registry, and named objects. Most of the native OS API calls will go through the interprocess communication (IPC) mechanism to the broker process. For example, a native API call (CreateFile) originates from the sandbox process and the broker process eventually takes over as a proxy.<\/p>\n<p>&nbsp;<\/p>\n<p>Actually, the Reader sandbox\u2019s IPC is implemented based on Google Chrome\u2019s IPC shared-memory mechanism. The broker process creates a 2MB shared memory for IPC initialization, the handle of the shared memory is duplicated and transferred to the sandboxed process, and all the communications leverage this shared memory.<\/p>\n<p>The API call request from the sandboxed process is stored in an IPC channel buffer (also called CrossCallParams or ActuallCallParams). The structure of the buffer is defined as the following format (from crosscall_params.h):<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-22300\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png\" alt=\"pic2\" width=\"300\" height=\"221\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic2-300x221.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic2.png 460w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Here are some explanations for the fields:<\/p>\n<ul>\n<li>The first 4 bytes, the \u201ctag,\u201d is the opcode for which function is being called<\/li>\n<li>\u201cIsOnOut\u201d describes the data type of the \u201cin\/out\u201d parameter<\/li>\n<li>\u201cCall return\u201d has 52 bytes. It\u2019s a buffer used to fill the returning data from the IPC server.<\/li>\n<li>\u201cParams count\u201d indicates the number of the parameters<\/li>\n<li>The parameter type\/offset\/size info indicate the actual parameters<\/li>\n<\/ul>\n<p>The parameter type is an enum type, s defined as follows:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-22316\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic22.png\" alt=\"pic22\" width=\"119\" height=\"203\" \/><\/a><\/p>\n<h2><b>Escaping the Sandbox<\/b><\/h2>\n<p>The sandbox escape in this zero-day exploit is due to a heap-based overflow vulnerability that occurs when the broker process handles the call request of the native API &#8220;GetClipboardFormatNameW.&#8221; The tag id for this API is 0x73. Here is the ActuallCallParams (IPC channel buffer) memory structure for the request in the exploit:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic3.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic3-300x220.png\" alt=\"pic3\" width=\"300\" height=\"220\" \/><\/a><\/p>\n<p>As marked by different colors above, the first DWORD is the tag id (0x73), and there are only two parameters for this API call (as indicated by the blue DWORD). The yellow DWORDs are the parameter types: Type 6 means INOUTPTR_TYPE and type 2 means ULONG_TYPE. The red DWORDs are the sizes for these parameters, so the first parameter has 0x9c bytes with the \u201cin\/out ptr\u201d type and the second parameter has 4 bytes with the \u201clong\u201d type.<\/p>\n<p>Let&#8217;s take a look at the definition of the parameters for the GetClipboardFormatNameW API.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic31.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-22306\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic31-300x139.png\" alt=\"pic31\" width=\"300\" height=\"139\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic31-300x139.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic31.png 641w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>According to the preceding definition, the GetClipboardFormatNameW call would look like this:<\/p>\n<p><em>GetClipboardFormatNameW(0xc19a, \u201cBBBBBBBBBB\u2026\u2026\u201d, 0x9c);<\/em><\/p>\n<p>At first sight, this function call looks normal, with nothing malicious. Unfortunately, there are two issues that will lead to a heap overflow condition. First, Adobe Reader allocates the heap memory based on \u201ccchMaxCount,\u201d while the correct size should be \u201ccchMaxCount * sizeof(WCHAR)\u201d as this is a Unicode API. In our case, the allocation size is only 0x9c; that is incorrect. Second, the lower-level native API NtUserGetClipboardFormatName() called by GetClipboardFormatNameW() is using cchMaxCount*sizeof(WCHAR) as its \u201clength\u201d parameter when copying a string to the heap buffer. At this point the heap overrun happens!<\/p>\n<p>There is a trick to trigger this heap overflow: Just pay attention to the first parameter. From the MSDN description, the parameter \u201cformat\u201d is used to retrieve the type of the format. So if we can pass in advance a format ID that requires a longer buffer space, then later when the broker calls the GetClipboardFormatNameW() to retrieve the format, it will trigger the overflow.<\/p>\n<p>In this sandbox-escaping exploit, the malware calls RegisterClipboardFormatW() to register a different format name, which is much longer than 0x9c bytes. Finally, an object (vtable) on heap will be overwritten. However, the story is not over yet. In order to achieve reliable exploitation, a heap spray inside the broker process is needed. The attacker did this in a very smart way, he or she leveraged the \u201cHttpSendRequestA\u201d function (tag id 0x5d). See the following dumped memory for this function call request.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-22304\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic4-300x132.png\" alt=\"pic4\" width=\"300\" height=\"132\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic4-300x132.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic4.png 554w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Because the fourth parameter (lpOptional) has the type VOIDPTR_TYPE (its address and size are highlighted in red) in the exploit, the attacker passes the buffer size 0x0c800000 (the second red section). Because the size is huge, when the IPC server calls ReadProcessMemory API to read the buffer, the broker process\u2019 heap memory will be sprayed with attacker-controlled data at a predictable memory location.<\/p>\n<p>The ASLR- and DEP-bypassing part is very easy because the module base addresses of the broker process and the sandboxed process are same. The attacker can directly use the ROP code chain to defeat both ASLR and DEP.<\/p>\n<p>Adobe has now released the <a href=\"https:\/\/www.adobe.com\/support\/security\/bulletins\/apsb13-07.html\">official patch<\/a> for these critical vulnerabilities. As always, we strongly suggest that users apply the patch as soon as possible. For McAfee customers, you&#8217;ll find our solutions in our <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/analyzing-the-first-rop-only-sandbox-escaping-pdf-exploit\">previous post<\/a>.<\/p>\n<p>Thanks again to Bing Sun, Chong Xu, and Haifei Li for their help with this analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[2026,1814,180],"coauthors":[4136],"class_list":["post-22285","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-big-data","tag-computer-security","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit | McAfee Blog<\/title>\n<meta name=\"description\" content=\"As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-21T01:37:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-29T10:38:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"460\" \/>\n\t<meta property=\"og:image:height\" content=\"340\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit\",\"datePublished\":\"2013-02-21T01:37:06+00:00\",\"dateModified\":\"2025-05-29T10:38:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/\"},\"wordCount\":884,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png\",\"keywords\":[\"big data\",\"computer security\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/\",\"name\":\"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png\",\"datePublished\":\"2013-02-21T01:37:06+00:00\",\"dateModified\":\"2025-05-29T10:38:38+00:00\",\"description\":\"As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit | McAfee Blog","description":"As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit | McAfee Blog","og_description":"As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2013-02-21T01:37:06+00:00","article_modified_time":"2025-05-29T10:38:38+00:00","og_image":[{"width":460,"height":340,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2013\/02\/pic2.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit","datePublished":"2013-02-21T01:37:06+00:00","dateModified":"2025-05-29T10:38:38+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/"},"wordCount":884,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png","keywords":["big data","computer security","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/","name":"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png","datePublished":"2013-02-21T01:37:06+00:00","dateModified":"2025-05-29T10:38:38+00:00","description":"As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2013\/02\/pic2-300x221.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-sandbox-escape-technique-of-the-recent-pdf-exploit\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/22285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=22285"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/22285\/revisions"}],"predecessor-version":[{"id":214719,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/22285\/revisions\/214719"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=22285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=22285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=22285"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=22285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}