Researchers issue homemade patch for PDF zero-day bug
Beats Adobe to the punch by three weeks
Computerworld - A little-known security firm on Wednesday released a home-brewed patch for a critical bug in Adobe Reader that hackers are already exploiting.
RamzAfzar, whose Web site bills it as a penetration testing company, reworked a flawed Adobe dynamic link library, or DLL, to replace the vulnerable "strcat" API call with the more secure alternative, "strncat."
This isn't the first time that someone has beat Adobe to a patch for Reader.
In February 2009, Lurene Grenier, a vulnerability researcher at intrusion-prevention vendor Sourcefire, posted a homemade fix for a then-unpatched Reader bug. Like RamzAfzar, Grenier built a replacement DLL.
To install the latest patch, users must download the revamped "CoolType.dll" created by RamzAfzar, then copy it to the Windows folder where Adobe's DLL by the same name is located.
The Reader exploit has been called "clever" and "scary" by security researchers who have examined how it bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (data execution prevention).
Initial attacks used rigged PDF documents attached to e-mails touting renowned golf coach and author David Leadbetter. In a move reminiscent of the vaunted Stuxnet worm, the Leadbetter attacks included a malicious file that was digitally signed with a valid signature from Missouri-based Vantage Credit Union.
VeriSign has since revoked Vantage's certificate.
According to Belgian security researcher Didier Stevens, RamzAfzar's patch does what the company claimed. "Does as advertised, and nothing more," said Stevens in a Wednesday message on Twitter.
Stevens, a notable vulnerability researchers, knows his way around Adobe Reader: Last March, he showed how attackers could abuse the PDF specification's "/Launch" feature to attack Reader users.
Adobe initially patched the /Launch function in June, but was forced to re-patch it in August when the first attempt didn't completely close the hole.
Today, Adobe confirmed that RamzAfzar's patched CoolType.dll seemed to do the trick.
"At first glance their DLL appears to prevent the crash [that can lead to remote code execution], but we have not performed a thorough investigation," a company spokeswoman said in an e-mail.
Nonetheless, Adobe warned users to steer clear. "A DLL is equivalent to an .EXE. Users should never install executables from an untrusted publisher on their machine," the spokeswoman added.
Unauthorized patches are unusual, but not unheard of. In 2006 and 2007, a group of security researchers who called themselves ZERT (Zeroday Emergency Response Team), issued several unauthorized patches for bugs in Windows and Internet Explorer.
RamzAfar criticized Adobe for not fixing the Reader flaw immediately. "We patched it without having source code in two hours and they need 20 days with code," the company said.
Adobe will release its official update for Reader sometime during the week of Oct. 4.
RamzAfzar's revamped CoolType.dll can be downloaded from the company's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts