September 13, 2010, 12:02PM
Microsoft Anti-Exploit Tool Protects Against Adobe Zero Day
Comment 
Although Adobe doesn't have a patch ready yet for the newly disclosed vulnerability in the company's Reader application, Adobe and Microsoft security officials said that Microsoft's recently released Enhanced Mitigation Environment Toolkit 2.0 can protect users against the exploit that is currently circulating.
The EMET toolkit is designed to enable users to add exploit mitigations such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Protection) to applications that previously didn't include them. Microsoft and Adobe said on Friday that EMET can protect users against attacks against the current zero day flaw in Reader by forcing a specific DLL into using ASLR. That moves the address where the DLL is located from a previously predictable location to a random address, preventing the current exploit from working.
From Microsoft's blog post on using EMET to defeat the Reader exploit:
Editor's Pick
The good news is that if you have the Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, it blocks this exploit. This is happens thanks to two different mitigations:
Mandatory ASLR: On Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 this mitigation will force the relocation of non ASLR-aware DLLs. The exploit will then fail to use ROP successfully since it is expecting the DLL to be at a predictable location. Take a look at the below screenshot from Process Explorer to see what this looks like.
Export Address Table Access Filtering (EAF): The exploit is also blocked by the EAF mitigation. This is important for Windows XP and Windows Server 2003 because they do not support mandatory ASLR. With this mitigation in place EMET will detect the shellcode accessing the EAT of Kernel32.dll trying to resolve some APIs (e.g. LoadLibraryA). EMET will then raise a STATUS_STACK_BUFFER_OVERRUN unhandled exception and the program will be terminated before the shellcode does anything bad.
Adobe has not specified when it will release a patch for this flaw, which is a stack buffer overflow in Reader. IN the meantime, the deployment of EMET is a good option on systems that need to have Reader installed.
Commenting on this Article is closed.
Today's Most Popular
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Iranian Students Claim to have Stolen Thousands of Researcher's Records
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Why Google Won't Protect You From Big Brother
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (9)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (9)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (3)
-
Author of LilyJade Facebook Plugin Ignores Facebook Cease-and-Desist (3)
-
Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
