Adobe Cautions Users Against Installing Unofficial Security Patches

Penetration testing firm RamzAfzar issued a homemade patch for the CoolType.dll zero-day vulnerability in Adobe Acrobat and Adobe Reader earlier this week. Adobe has said it will release an official patch for the vulnerability on October 4, 2010.

The bug first came to light earlier this month after a zero-day exploit targeting the vulnerability appeared. The vulnerability itself stems from "a boundary error within the font parsing in CoolType.dll and can be exploited to cause a stack-based buffer overflow," according to vulnerability research firm Secunia.

RamzAfzar said, "After initial analysis we've discovered that exploit exists in insecure strcat call located in CoolType.dll." Strcat allows memory blocks to be appended to each other in the C programming language. "We've decided to modify this strcat call and convert it to strncat. Why? Because strncat at least receives the buffer size and how much bytes you want to copy from src [source] to dest [destination]."

In other words, the RamzAfzar fix adds a "size operator" which prohibits a buffer overflow through a bit of in-line patching. You can download this CoolType.dll and put it in your Acrobat Reader folder, simply overwrite old CoolType.dll and you'll be secure, provided you're using Acrobat 9.3.4.

"It took … about 2 hours, I want to know why Adobe needs 20 days," according to RanzAfzar.

After the patch emerged, however, Adobe cautioned users against applying it. According to Kaspersky Labs's Threatpost, Adobe said that "there are always risks involved with installing software from unknown sources." In particular, the company warned that a DLL file has the same capabilities as an executable file. In addition, the firm also told Threatpost that "the change to the DLL might break functionality in the product that could disrupt critical workflows."

RamzAfzar posted a response on Twitter: "Adobe said users with our patch will not be able to update, it's simply wrong, it's not first time we're patching Adobe for customers."

Likewise, on Thursday, security researcher Didier Stevens, who has extensive experience with vulnerabilities in Adobe's products, reported on his Twitter feed that he'd assessed the homemade patch: "Took a look at @Ramz_Afzar 's patch. Does as advertised, and nothing more."