Researchers issue homemade patch for PDF zero-day bug

Beats Adobe to the punch by three weeks

A little-known security firm on Wednesday released a home-brewed patch for a critical bug in Adobe Reader that hackers are already exploiting.

RamzAfzar, whose Web site bills it as a penetration testing company, reworked a flawed Adobe dynamic link library, or DLL, to replace the vulnerable "strcat" API call with the more secure alternative, "strncat."

This isn't the first time that someone has beat Adobe to a patch for Reader.

In February 2009, Lurene Grenier, a vulnerability researcher at intrusion-prevention vendor Sourcefire, posted a homemade fix for a then-unpatched Reader bug. Like RamzAfzar, Grenier built a replacement DLL.

To install the latest patch, users must download the revamped "CoolType.dll" created by RamzAfzar, then copy it to the Windows folder where Adobe's DLL by the same name is located.

The Reader exploit has been called "clever" and "scary" by security researchers who have examined how it bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (data execution prevention).

Initial attacks used rigged PDF documents attached to e-mails touting renowned golf coach and author David Leadbetter. In a move reminiscent of the vaunted Stuxnet worm, the Leadbetter attacks included a malicious file that was digitally signed with a valid signature from Missouri-based Vantage Credit Union.

VeriSign has since revoked Vantage's certificate.

According to Belgian security researcher Didier Stevens, RamzAfzar's patch does what the company claimed. "Does as advertised, and nothing more," said Stevens in a Wednesday message on Twitter.

Stevens, a notable vulnerability researchers, knows his way around Adobe Reader: Last March, he showed how attackers could abuse the PDF specification's "/Launch" feature to attack Reader users.

Adobe initially patched the /Launch function in June, but was forced to re-patch it in August when the first attempt didn't completely close the hole.

Today, Adobe confirmed that RamzAfzar's patched CoolType.dll seemed to do the trick.

"At first glance their DLL appears to prevent the crash [that can lead to remote code execution], but we have not performed a thorough investigation," a company spokeswoman said in an e-mail.

Nonetheless, Adobe warned users to steer clear. "A DLL is equivalent to an .EXE. Users should never install executables from an untrusted publisher on their machine," the spokeswoman added.

Unauthorized patches are unusual, but not unheard of. In 2006 and 2007, a group of security researchers who called themselves ZERT (Zeroday Emergency Response Team), issued several unauthorized patches for bugs in Windows and Internet Explorer.

RamzAfar criticized Adobe for not fixing the Reader flaw immediately. "We patched it without having source code in two hours and they need 20 days with code," the company said.

Adobe will release its official update for Reader sometime during the week of Oct. 4.

RamzAfzar's revamped CoolType.dll can be downloaded from the company's site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon