Adobe is cautioning its users about installing an unofficial patch for the Reader CoolType.dll bug that was released on Wednesday, saying that although the patch appears to prevent the crash in Reader, installing it could have some unintended consequences.
The Reader bug, which was disclosed earlier this month, is scheduled to be patched by Adobe on Oct. 4. But on Wednesday a security and software firm called RamzAfzar released its own patch for the vulnerability. The fix replaces the vulnerable DLL with a new one that gets around the bug by using a different, more secure call.
“We ‘ve decided to modify this strcat call and convert it to strncat. Why?
Because strncat at least receives the buffer size and how much bytes
you want to copy from src to dest,” the company said in its explanation of the patch.
However, in an email response to questions about the unofficial patch, Adobe officials said that while the RamzAfzar fix seems to stop vulnerable versions of Reader from crashing, there are always risks involved with installing software from unknown sources. Adobe’s cautions are as follows:
- A DLL is equivalent to an .EXE.
Users should never install executables from an untrusted publisher on
- Users will have no assurances th at
subsequent Adobe updates will work correctly after performing this type of
modification. For example, the DLL might not get updated by the official
security update from Adobe.
- The change to the DLL might break functionality
in the product that could disrupt critical workflows.
On Thursday, Didier Stevens, a Belgian security researcher who earlier this year discovered a technique for forcing Adobe Reader to execute code without using any vulnerabilities or exploits, said in a message on Twitter that he had analyzed the unofficial patch and found that it did what it was supposed to do: prevent Reader from crashing.
“Took a look at @Ramz_Afzar ‘s patch. Does as advertised, and nothing more. strcat -> strncat with n = 160,” Stevens said.