Researchers issue homemade patch for PDF zero-day bug

Little-known security firm beats Adobe to the punch by three weeks with fix for critical Reader bug

A little-known security firm on Wednesday released a home-brewed patch for a critical bug in Adobe Reader that hackers are already exploiting.

RamzAfzar, whose website bills it as a penetration testing company, reworked a flawed Adobe dynamic link library, or DLL, to replace the vulnerable "strcat" API call with the more secure alternative, "strncat."

[ The PDF exploit uses a good certificate and fancy programming to thumb its nose at Windows 7's two big new security measures. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

This isn't the first time that someone has beat Adobe to a patch for Reader.

In February 2009, Lurene Grenier, a vulnerability researcher at intrusion-prevention vendor Sourcefire, posted a homemade fix for a then-unpatched Reader bug. Like RamzAfzar, Grenier built a replacement DLL.

To install the latest patch, users must download the revamped "CoolType.dll" created by RamzAfzar, then copy it to the Windows folder where Adobe's DLL by the same name is located.

The Reader exploit has been called "clever" and "scary" by security researchers who have examined how it bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (date execution prevention).

Initial attacks used rigged PDF documents attached to emaills touting renowned golf coach and author David Leadbetter. In a move reminiscent of the vaunted Stuxnet worm, the Leadbetter attacks included a malicious file that was digitally signed with a valid signature from Missouri-based Vantage Credit Union.

VeriSign has since revoked Vantage's certificate.

According to Belgian security researcher Didier Stevens, RamzAfzar's patch does what the company claimed. "Does as advertised, and nothing more," said Stevens in a Wednesday message on Twitter.

Stevens, a notable vulnerability researchers, knows his way around Adobe Reader: Last March, he showed how attackers could abuse the PDF specification's "/Launch" feature to attack Reader users.

Adobe initially patched the /Launch function in June, but was forced to re-patch it in August when the first attempt didn't completely close the hole.

Today, Adobe confirmed that RamzAfzar's patched CoolType.dll seemed to do the trick.

"At first glance their DLL appears to prevent the crash [that can lead to remote code execution], but we have not performed a thorough investigation," a company spokeswoman said in an emaill.

Nonetheless, Adobe warned users to steer clear. "A DLL is equivalent to an .EXE. Users should never install executables from an untrusted publisher on their machine," the spokeswoman added.

Unauthorized patches are unusual, but not unheard of. In 2006 and 2007, a group of security researchers who called themselves ZERT (Zeroday Emergency Response Team), issued several unauthorized patches for bugs in Windows and Internet Explorer.

RamzAfar criticized Adobe for not fixing the Reader flaw immediately. "We patched it without having source code in two hours and they need 20 days with code," the company said.

Adobe will release its official update for Reader sometime during the week of Oct. 4.

RamzAfzar's revamped CoolType.dll can be downloaded from the company's site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed. His emaill address is gkeizer@ix.netcom.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

This story, "Researchers issue homemade patch for PDF zero-day bug" was originally published by Computerworld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies