September 16, 2010, 10:23AM
Adobe Cautions Users About Installing Unofficial Reader Patch
3 Comments
Adobe is cautioning its users about installing an unofficial patch for the Reader CoolType.dll bug that was released on Wednesday, saying that although the patch appears to prevent the crash in Reader, installing it could have some unintended consequences.
The Reader bug, which was disclosed earlier this month, is scheduled to be patched by Adobe on Oct. 4. But on Wednesday a security and software firm called RamzAfzar released its own patch for the vulnerability. The fix replaces the vulnerable DLL with a new one that gets around the bug by using a different, more secure call.
"We 've decided to modify this strcat call and convert it to strncat. Why? Because strncat at least receives the buffer size and how much bytes you want to copy from src to dest," the company said in its explanation of the patch.
Editor's Pick
However, in an email response to questions about the unofficial patch, Adobe officials said that while the RamzAfzar fix seems to stop vulnerable versions of Reader from crashing, there are always risks involved with installing software from unknown sources. Adobe's cautions are as follows:
- A DLL is equivalent to an .EXE. Users should never install executables from an untrusted publisher on their machine.
- Users will have no assurances th at subsequent Adobe updates will work correctly after performing this type of modification. For example, the DLL might not get updated by the official security update from Adobe.
- The change to the DLL might break functionality in the product that could disrupt critical workflows.
On Thursday, Didier Stevens, a Belgian security researcher who earlier this year discovered a technique for forcing Adobe Reader to execute code without using any vulnerabilities or exploits, said in a message on Twitter that he had analyzed the unofficial patch and found that it did what it was supposed to do: prevent Reader from crashing.
"Took a look at @Ramz_Afzar 's patch. Does as advertised, and nothing more. strcat -> strncat with n = 160," Stevens said.
Commenting on this Article is closed.
Today's Most Popular
- Dear Jailbreaker, Apple Wants to Have a Word with You
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- White House Security Czar Howard Schmidt Retiring
- OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?
- New P2P Zeus Variant Targets Popular Sites with Bogus Offers
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
22%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 60
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
RamzAfzar replied to this post:
http://twitter.com/Ramz_Afzar
Seems they are right
"The change to the DLL might break functionality in the product that could disrupt critical workflows."
That's true, you need to perform extensive testing to be sure.
But one must not forget that the bug in the current, official version of Adobe Reader also "disrupts critical workflows". Open a malformed PDF and Adobe Reader crashes.
When there is no patch and I'm vulnerable and it's possible to get infected while visiting internet web sites, I would install RamzAfzar patch as their patch prevents buffer overflow and exploit didn't worked on my acrobat, but I was able to read ALL TYPE of PDF files without problem. As RamzAfzar said in their twitter, Adobe is not so happy about this patch being made in 2 hours and they need 20 days to patch, that's all.