Adobe Systems warned users that unofficial patches can cause unexpected damage after a security firm issued a fix of their own for a vulnerability impacting Adobe Reader and Acrobat.
Adobe Systems is advising users to be cautious before applying an
unofficial patch provided by a security company for an zero-day being
exploited in the wild.
Earlier this week, security firm RamzAfzar released an unofficial
fix for the flaw, which Adobe has said it plans to patch in the coming
weeks. The bug, which affects Adobe Reader and Adobe Acrobat, is
due to a boundary error within CoolType.dll when processing the
"uniqueName" entry of SING tables in fonts.
If exploited, the issue--which affects Reader and Acrobat versions 9.3.4 and earlier on Windows and Macs--could allow attackers
to hijack a vulnerable system. The bug also affects Reader on Unix as well.
Adobe first warned the flaw was under attack Sept. 8. Five days
later, the company said it would patch the issue with an update during
the week of Oct. 4. However, RamzAfzar issued a fix of its own
, contending that users need protection until the patch is ready.
"It's really long time for customers being vulnerable and navigate
Internet with this conditions or opening a single PDF file using Adobe
Acrobat reader," the company said. "So we've decided to go on and patch
this easy vulnerability and protect at least our customers and all
other interested people."
The company's patch alters the insecure strcat call in the CoolType.dll.
"This call doesn't check length of src and dest parameter of strcat,
so if Embedded Gaiji Font in PDF file includes a SING table with large
UniqueName (like 300xA) stack will be destroyed and you'll be able to
execute code with some techniques (like ROP method for bypassing DEP
which is already implemented in the sample of this exploit found in the
wild)," the company said. "We've decided to modify this strcat call and
convert it to strncat. Why? Because strncat at least receives the
buffer size and how much bytes you want to copy from src to dest."
Adobe told eWEEK it has tested the RamzAfzar patch and it appears to
work. However, Adobe also advised users that they should keep several
things in mind before using an unofficial patch. First, a .DLL file is
equivalent to an .EXE, and "users should never install executables from
an untrusted publisher on their machine." Also, users have no
assurances subsequent updates will work correctly if unofficially
patches are applied, and a change to the DLL might break functionality
in the product that could disrupt "critical workflows."
RamzAfzar did not respond to an eWEEK request for comment, but on Twitter the company denied that its patch
causes Adobe users any problems.
For user anxious about attacks, Microsoft's Enhanced Mitigation
Experience Toolkit 2.0 offers some protection against attacks in the
*This story was corrected to change a misspelling in the headline.