Unofficial patch plugs 0-day Adobe security vuln.
Mind the gap
Updated Security researchers have developed an unofficial patch for a zero-day Adobe Acrobat and Reader vulnerability that's become the subject of hacker attacks.
Adobe acknowledged the vulnerability last week but said an official patch wouldn't be available until 11 March.
In response to the threat, Sourcefire has released a "homebrew" patch against the vulnerability. The fix replaces a vulnerable DLL library file and weighs in at 10MB, even with compression. In addition it only works for Adobe Reader version 9. Version 8 is also vulnerable so surfers still using that version of the software will need to upgrade before even thinking about applying the unofficial patch.
Prospective users are urged to test this unofficial patch before applying the update. Deploying third party modified software into an environment carries greater risk than applying official patches, which are themselves capable of causing problems from time to time.
Unofficial patches have previously been released in the case of Microsoft vulnerabilities, most notably by the Zeroday Emergency Response Team. Unsanctioned security updates for application by other vendors is something of an innovation, however. ®