A little-known security firm on Wednesday released a home-brewed patch for a critical bug in Adobe Reader that hackers are already exploiting.
RamzAfzar, whose website bills it as a penetration testing company, reworked a flawed Adobe dynamic link library, or DLL, to replace the vulnerable "strcat" API call with the more secure alternative, "strncat."
[ The PDF exploit uses a good certificate and fancy programming to thumb its nose at Windows 7's two big new security measures. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
This isn't the first time that someone has beat Adobe to a patch for Reader.
In February 2009, Lurene Grenier, a vulnerability researcher at intrusion-prevention vendor Sourcefire, posted a homemade fix for a then-unpatched Reader bug. Like RamzAfzar, Grenier built a replacement DLL.
To install the latest patch, users must download the revamped "CoolType.dll" created by RamzAfzar, then copy it to the Windows folder where Adobe's DLL by the same name is located.
The Reader exploit has been called "clever" and "scary" by security researchers who have examined how it bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (date execution prevention).
Initial attacks used rigged PDF documents attached to emaills touting renowned golf coach and author David Leadbetter. In a move reminiscent of the vaunted Stuxnet worm, the Leadbetter attacks included a malicious file that was digitally signed with a valid signature from Missouri-based Vantage Credit Union.
VeriSign has since revoked Vantage's certificate.
According to Belgian security researcher Didier Stevens, RamzAfzar's patch does what the company claimed. "Does as advertised, and nothing more," said Stevens in a Wednesday message on Twitter.
Stevens, a notable vulnerability researchers, knows his way around Adobe Reader: Last March, he showed how attackers could abuse the PDF specification's "/Launch" feature to attack Reader users.
Adobe initially patched the /Launch function in June, but was forced to re-patch it in August when the first attempt didn't completely close the hole.
Today, Adobe confirmed that RamzAfzar's patched CoolType.dll seemed to do the trick.
"At first glance their DLL appears to prevent the crash [that can lead to remote code execution], but we have not performed a thorough investigation," a company spokeswoman said in an emaill.
Nonetheless, Adobe warned users to steer clear. "A DLL is equivalent to an .EXE. Users should never install executables from an untrusted publisher on their machine," the spokeswoman added.