Researcher posts homemade patch for critical PDF bug

Beats Adobe to the patch punch by more than two weeks

A security researcher has published a home-brewed patch for a critical Adobe Reader vulnerability that hackers are exploiting in the wild using malicious PDF files, beating Adobe Systems Inc. to the punch by more than two weeks.

Lurene Grenier, a vulnerability researcher at intrusion-prevention vendor Sourcefire Inc., posted the patch Sunday with the caveats that it applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees.

"The patch is just a replacement .dll -- AcroRd32.dll to be precise," said Grenier in a post to the Sourcefire vulnerability research blog. The .dll, which weighs in at 19MB, replaces the existing file in the "C:\Program Files\Adobe\Reader 9.0\Reader\" directory on Windows machines.

"No warranty expressed or implied, etc. etc.," concluded Grenier.

Although hackers have been exploiting the flaw in Adobe Reader since at least Feb. 12 -- the date that Symantec Corp. researchers first found the attack code in the wild -- Adobe said last week that it may not patch the problem until March 11.

In a security advisory the company issued last Thursday, Adobe confirmed that Versions 7, 8 and 9 of both Reader and Adobe Acrobat, an advanced PDF-creation application, contain the flaw. It plans to patch Versions 7 and 8 at an unspecified date after it fixes Version 9 next month.

It's rare that a patch surfaces from a source other than the software's maker, but Grenier's move isn't without precedent. In 2006, and then again the following year, a group of security researchers who called themselves ZERT (Zeroday Emergency Response Team), issued several unauthorized patches for bugs in Microsoft Corp.'s Windows and Internet Explorer.

Another way to protect against the current exploits is to disable JavaScript, numerous experts have recommended. Although the flaw is not in the JavaScript functionality of Reader or Acrobat, since the exploits employ JavaScript, turning it off stymies any current attack.

To disable JavaScript in Adobe Reader, Windows users should select "Preferences" from the Edit menu, then click on "JavaScript" in the ensuing list and uncheck the box marked "Enable Acrobat JavaScript." Mac users will find the preferences under the "Adobe Reader" menu.

PhishLabs, a consulting firm that specializes in fraud attacks, created a batch file that resets a Windows registry key to disable JavaScript in Adobe Reader 9.0, giving enterprise administrators a way to automate the process.

In other news, exploit code for the Adobe bug has gone public, hitting the Milw0rm.com site earlier today. Last week, security experts speculated that attack code would quickly end up in the multiexploit kits that hackers now favor.

Grenier's patch can be downloaded via a link from the Sourcefire site.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies