Unauthorized patch for Adobe Reader flaw brings a temporary lullaby
By Gina on September 16, 2010 | Vulnerabilities, Adobe Reader, vulnerability, flaw, RamzAfzar, update, how to fix
Recently, a huge Adobe Reader vulnerability was fixed by unexpected and unofficial patch that was released by security researchers. The flaw was exploited by malware founders that wanted to use it for their malicious intentions. A solid number of malware were prompted to systems that had been running Microsoft Windows.
The download covers malicious a buggy strcat call in a font-rendering DLL module with a more defended behavior.
The researchers at penetration-testing firm RamzAfzar stated: „We've decided to modify this strcat call and convert it to strncat. Why? Because strncat at least receives the buffer size and how much bytes you want to copy from src to dest.“
It is not really sure that released update truly patches the flaw; however, chief architect of the Metasploit project comments that this advance seems to make sense.
Adobe reassured that they will not released their new secure bulletin till October 4. This statement doesn’t make sense for researchers from RamzAfzar that patched vulnerability because for them to fix the flaw took 2 hours and they did need any source code to adjust the problem. However, for this matter Adobe needs 3 weeks and that is odd for people from RamzAfzar.
What is needed to be said that Adobe has to make a lot of test to make sure their update really and for sure patches the hole at all machines. What is more, Adobe Reader’s users could protect themselves by using an alternative PDF viewer that isn't as widely targeted.
More Vulnerabilities news
Shocking: 9 out of 10 websites still vulnerable to old attacks
Did you know that less than 10% of websites are safe from attacks that have struck the internet in 2009? Back then there was a breakout of Man-in-the-middle (MITH) attacks that included an injection of a malicious code in to the browser but even after 3 years these problems are very sensitive. SSL Pulse reportIt seems that companies live in a bubble as far as IT safety is concerned. A project called SSL Pulse that is monitoring 200. Read more.- Mozilla's decision: Firefox is blocked from running unpatched Java plugins
- Facebook still is a wonderland for cybercriminals
- Microsoft talks about dangerous flaw in a Windows
- 17 high-risk flaws are fixed in Chrome; Google pays $47,500 in bug bounties
- Google bypassed Safari's No Tracking settings
- Research reveals – 4/5 of security threats come from third-party software
- Google Wallet hack revealed
- Denial-of-service flaw is fixed by Oracle
- Firefox 9.0 and four critical flaws fixed
- Major flaw of Adobe Reader and Acrobat 9.x is patched
