Adobe Warns Against Unofficial Security Patches

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

Adobe Systems is warning users against unofficial patches after a security firm issued its own fix for a Reader and Acrobat vulnerability

Users are being advised by Adobe Systems to be cautious before applying an unofficial patch provided by a security company for an zero-day being exploited in the wild.

Earlier this week, security firm RamzAfzar released an unofficial fix for the flaw, which Adobe has said it plans to patch in the coming weeks. The bug, which affects Adobe Reader and Adobe Acrobat, is due to a boundary error within CoolType.dll when processing the “uniqueName” entry of SING tables in fonts.

Zero-day Flaw

If exploited, the issue – which affects Reader and Acrobat versions 9.3.4 and earlier on Windows and Macs – could allow attackers to hijack a vulnerable system. The bug also affects Reader on Unix as well.

Adobe first warned the flaw was under attack 8 September. Five days later, the company said it would patch the issue with an update during the week of 4 October. However, RamzAfzar issued a fix of its own, contending that users need protection until the patch is ready.

“It’s really long time for customers being vulnerable and navigate internet with this conditions or opening a single PDF file using Adobe Acrobat reader,” the company said. “So we’ve decided to go on and patch this easy vulnerability and protect at least our customers and all other interested people.”

The company’s patch alters the insecure strcat call in the CoolType.dll.

“This call doesn’t check length of src and dest parameter of strcat, so if Embedded Gaiji Font in PDF file includes a SING table with large UniqueName (like 300xA) stack will be destroyed and you’ll be able to execute code with some techniques (like ROP method for bypassing DEP which is already implemented in the sample of this exploit found in the wild),” the company said. “We’ve decided to modify this strcat call and convert it to strncat. Why? Because strncat at least receives the buffer size and how much bytes you want to copy from src to dest.”

Adobe Response

Adobe told eWEEK it has tested the RamzAfzar patch and it appears to work.

However, Adobe also advised users that they should keep several things in mind before using an unofficial patch. First, a .DLL file is equivalent to an .EXE, and “users should never install executables from an untrusted publisher on their machine.” Also, users have no assurances subsequent updates will work correctly if unofficially patches are applied, and a change to the DLL might break functionality in the product that could disrupt “critical workflows.”

RamzAfzar did not respond to an eWEEK request for comment, but on Twitter the company denied that its patch causes Adobe users any problems.

For user anxious about attacks, Microsoft’s Enhanced Mitigation Experience Toolkit 2.0 offers some protection against attacks in the wild.