Acrobat Users: Don't Install Third-Party Security Patch

By Chris Head, PC World |  Security, adobe acrobat, PDF

After warning users earlier this week of a potential security risk in their popular Acrobat PDF software, Adobe is now cautioning users against installing a third-party patch that claims to address the issue. The vulnerability, detailed on Adobe's site, affects all versions of Adobe Acrobat and Reader for various OSes, including Mac OS X, Windows, Linux, and Android.

The third-party patch released yesterday by security firm RamzAfzar was purportedly developed in two hours, and has been released well ahead of the projected October 4th release date for the official Adobe patch.

The Nerdy Details

If you aren't a security nerd, feel free to skip to the next section. Otherwise, read on!

The vulnerability itself is rooted in the use of an unsafe method for memory manipulation, which RamzAfzar claims to have fixed by replacing the insecure calls with code that prevents an attacker from gaining control of a target computer with the exploit.

While Adobe is correct to warn users that installing an unofficially patched DLL containing program code is a risk in itself, the fact remains that the original bug is both embarrassing and costly, considering it is a well-known attack vector in most software and could have easily been prevented.

The function call at the core of the issue is "strcat", which copies data from one memory location to another, but doesn't validate the amount of information to transfer, whereas the revised "strncat" was developed specifically to prevent this sort of vulnerability.

Avoiding the Bug

If you're using Adobe Reader, there's not much you can do to avoid the bug until Adobe releases its update. You can, however, install an alternate PDF reader, such as Foxit Reader for Windows, which will help you avoid attacks on Adobe Reader. Mac users can use Preview, the image viewer bundled with Mac OS X. And we'll let you know about the official Adobe update as soon as it's released.

[via Threatpost]

More for PCWorld's GeekTech blog...

* Trojan Monitors Your Porn Surfing Habits, Threatens to Blackmail You


Originally published on PC World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness