|12 Sep 2010||#1|
| || |
Use EMET 2.0 to block Adobe Reader and Acrobat 0-day exploit.
Use EMET 2.0 to block Adobe Reader and Acrobat 0-day exploit
Background on the exploit
As you probably know there is a new exploit in the wild for Adobe Reader and Acrobat. This particular exploit is using the Return Oriented Programming (ROP) exploit technique in order to bypass Data Execution Prevention (DEP).
Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation. However, this product ships with a DLL (icucnv36.dll) that doesn’t have ASLR turned on. Without ASLR, this DLL is always going to be loaded at a predictable address and can be leverage by an exploit. In the below screenshot we use Process Explorer to show what this looks like.
Find more information on the importance of enabling ASLR in your products at http://msdn.microsoft.com/en-us/library/bb430720.aspx.
How EMET 2.0 blocks the exploit
The good news is that if you have the Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, it blocks this exploit. This is happens thanks to two different mitigations:
Use EMET 2.0 to block Adobe Reader and Acrobat 0-day exploit - Security Research & Defense - Site Home - TechNet Blogs
|My System Specs|
|Similar help and support threads for2: Use EMET 2.0 to block Adobe Reader and Acrobat 0-day exploit.|
|Adobe to Patch Reader, Acrobat; Warns of ColdFusion Exploit||Security News|
|Win 7 64-bit and problems with Adobe Reader/Acrobat||Software|
|Help with Adobe Acrobat Reader magnification||Software|
|Adobe Acrobat Reader Upgrade||System Security|
|Security Advisory for Adobe Reader and Acrobat||News|
|New zero-day exploit targets Adobe Reader||News|
|Adobe Reader and Acrobat Update 9.1||News|