Adobe Cautions Users About Installing Unofficial Reader Patch

Adobe is cautioning its users about installing an unofficial patch for the Reader CoolType.dll bug that was released on Wednesday, saying that although the patch appears to prevent the crash in Reader, installing it could have some unintended consequences.

Adobe is cautioning its users about installing an unofficial patch for the Reader CoolType.dll bug that was released on Wednesday, saying that although the patch appears to prevent the crash in Reader, installing it could have some unintended consequences.

The Reader bug, which was disclosed earlier this month, is scheduled to be patched by Adobe on Oct. 4. But on Wednesday a security and software firm called RamzAfzar released its own patch for the vulnerability. The fix replaces the vulnerable DLL with a new one that gets around the bug by using a different, more secure call.

“We ‘ve decided to modify this strcat call and convert it to strncat. Why?
Because strncat at least receives the buffer size and how much bytes
you want to copy from src to dest,” the company said in its explanation of the patch.

However, in an email response to questions about the unofficial patch, Adobe officials said that while the RamzAfzar fix seems to stop vulnerable versions of Reader from crashing, there are always risks involved with installing software from unknown sources. Adobe’s cautions are as follows:

  • A DLL is equivalent to an .EXE.
     Users should never install executables from an untrusted publisher on
    their machine.
  • Users will have no assurances th at
    subsequent Adobe updates will work correctly after performing this type of
    modification.  For example, the DLL might not get updated by the official
    security update from Adobe.
  • The change to the DLL might break functionality
    in the product that could disrupt critical workflows.

On Thursday, Didier Stevens, a Belgian security researcher who earlier this year discovered a technique for forcing Adobe Reader to execute code without using any vulnerabilities or exploits, said in a message on Twitter that he had analyzed the unofficial patch and found that it did what it was supposed to do: prevent Reader from crashing.

Took a look at @Ramz_Afzar ‘s patch. Does as advertised, and nothing more. strcat -> strncat with n = 160,” Stevens said.


Suggested articles

Discussion

  • Roben Mia on

    RamzAfzar replied to this post:

    http://twitter.com/Ramz_Afzar

     

    Seems they are right

  • Didier Stevens on

    "The change to the DLL might break functionality in the product that could disrupt critical workflows."

    That's true, you need to perform extensive testing to be sure.

    But one must not forget that the bug in the current, official version of Adobe Reader also "disrupts critical workflows". Open a malformed PDF and Adobe Reader crashes.

  • Maya Heckman on

    When there is no patch and I'm vulnerable and it's possible to get infected while visiting internet web sites, I would install RamzAfzar patch as their patch prevents buffer overflow and exploit didn't worked on my acrobat, but I was able to read ALL TYPE of PDF files without problem. As RamzAfzar said in their twitter, Adobe is not so happy about this patch being made in 2 hours and they need 20 days to patch, that's all.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.