September 17, 2010, 12:25 PM — After warning users earlier this week of a potential security risk in their popular Acrobat PDF software, Adobe is now cautioning users against installing a third-party patch that claims to address the issue. The vulnerability, detailed on Adobe's site, affects all versions of Adobe Acrobat and Reader for various OSes, including Mac OS X, Windows, Linux, and Android.
The third-party patch released yesterday by security firm RamzAfzar was purportedly developed in two hours, and has been released well ahead of the projected October 4th release date for the official Adobe patch.
The Nerdy Details
If you aren't a security nerd, feel free to skip to the next section. Otherwise, read on!
The vulnerability itself is rooted in the use of an unsafe method for memory manipulation, which RamzAfzar claims to have fixed by replacing the insecure calls with code that prevents an attacker from gaining control of a target computer with the exploit.
While Adobe is correct to warn users that installing an unofficially patched DLL containing program code is a risk in itself, the fact remains that the original bug is both embarrassing and costly, considering it is a well-known attack vector in most software and could have easily been prevented.
The function call at the core of the issue is "strcat", which copies data from one memory location to another, but doesn't validate the amount of information to transfer, whereas the revised "strncat" was developed specifically to prevent this sort of vulnerability.
Avoiding the Bug
If you're using Adobe Reader, there's not much you can do to avoid the bug until Adobe releases its update. You can, however, install an alternate PDF reader, such as Foxit Reader for Windows, which will help you avoid attacks on Adobe Reader. Mac users can use Preview, the image viewer bundled with Mac OS X. And we'll let you know about the official Adobe update as soon as it's released.
More for PCWorld's GeekTech blog...