David Baxter PhD
Late Founder
Unofficial Patch Released for Adobe Reader Bug
by Dennis Fisher, Threatpost
September 15, 2010
As users await the Oct. 4 release of a patch for the CoolType.dll vulnerability in Adobe Reader, a software and security company has published an unofficial patch for the bug that essentially replaces the vulnerable DLL with a patched one.
The patch was published Wednesday by RamzAfzar, a software development and pen-testing firm, which said in its description of the patch that it took approximately two hours to develop the fix. The method that the company used to fix the bug involves bypassing the insecure call in the DLL and using a more secure one in its place. The company says the patch works on Reader version 9.3.4.
"This call doesn't check length of src and dest parameter of strcat, so if Embedded Gaiji Font in PDF file includes a SING table with large UniqueName (like 300xA) stack will be destroyed and you'll be able to execute code with some techniques (like ROP method for bypassing DEP which is already implemented in the sample of this exploit found in the wild)," the company's explanation says.
"We've decided to modify this strcat call and convert it to strncat. Why? Because strncat at least receives the buffer size and how much bytes you want to copy from src to dest."
This kind of patch that's not supplied by the vendor was all the rage about four years ago, when independent researchers began publishing their own hotfixes for bugs that were awaiting vendor patches. The most notorious example is the Windows WMF vulnerability from late 2005. After the bug was disclosed, there were waves of attacks against the flaw, with a number of sites distributing the exploit. The flaw was considered to be quite serious, and with attacks ongoing, researcher Ilfak Guilfanov released his own patch for the flaw and anti-malware vendor ESET published its own fix soon after.
Microsoft took a dim view of this development, and urged customers to wait for the company's official patch, which came out about a week later. The trend continued with other high-profile bugs, as security vendor eEye Digital Security occasionally published unofficial patches for Windows flaws, including the .ANI bug from 2007.
It's been some time since the release of an unofficial patch has become a public issue, perhaps mainly because most of the major software vendors, including Microsoft and Adobe, have established regular patch cycles, making the time until a patch is available predictable, if not always ideal. And Adobe and Microsoft both have shown that they will go outside those patch cycles and issue emergency fixes when they deem it necessary, typically when a widespread bug is under active attack.
Although there are active attacks against the Reader bug right now, Adobe has given no indication that it plans to issue an emergency patch for the flaw before the next scheduled patch release on Oct. 4.
by Dennis Fisher, Threatpost
September 15, 2010
As users await the Oct. 4 release of a patch for the CoolType.dll vulnerability in Adobe Reader, a software and security company has published an unofficial patch for the bug that essentially replaces the vulnerable DLL with a patched one.
The patch was published Wednesday by RamzAfzar, a software development and pen-testing firm, which said in its description of the patch that it took approximately two hours to develop the fix. The method that the company used to fix the bug involves bypassing the insecure call in the DLL and using a more secure one in its place. The company says the patch works on Reader version 9.3.4.
"This call doesn't check length of src and dest parameter of strcat, so if Embedded Gaiji Font in PDF file includes a SING table with large UniqueName (like 300xA) stack will be destroyed and you'll be able to execute code with some techniques (like ROP method for bypassing DEP which is already implemented in the sample of this exploit found in the wild)," the company's explanation says.
"We've decided to modify this strcat call and convert it to strncat. Why? Because strncat at least receives the buffer size and how much bytes you want to copy from src to dest."
This kind of patch that's not supplied by the vendor was all the rage about four years ago, when independent researchers began publishing their own hotfixes for bugs that were awaiting vendor patches. The most notorious example is the Windows WMF vulnerability from late 2005. After the bug was disclosed, there were waves of attacks against the flaw, with a number of sites distributing the exploit. The flaw was considered to be quite serious, and with attacks ongoing, researcher Ilfak Guilfanov released his own patch for the flaw and anti-malware vendor ESET published its own fix soon after.
Microsoft took a dim view of this development, and urged customers to wait for the company's official patch, which came out about a week later. The trend continued with other high-profile bugs, as security vendor eEye Digital Security occasionally published unofficial patches for Windows flaws, including the .ANI bug from 2007.
It's been some time since the release of an unofficial patch has become a public issue, perhaps mainly because most of the major software vendors, including Microsoft and Adobe, have established regular patch cycles, making the time until a patch is available predictable, if not always ideal. And Adobe and Microsoft both have shown that they will go outside those patch cycles and issue emergency fixes when they deem it necessary, typically when a widespread bug is under active attack.
Although there are active attacks against the Reader bug right now, Adobe has given no indication that it plans to issue an emergency patch for the flaw before the next scheduled patch release on Oct. 4.
)
