Windows 7: Microsoft, Adobe: PDF security flaw treatable

Microsoft and Adobe Systems have announced that a recently released Microsoft toolkit can be used to block zero-day attacks targeting a security flaw in Adobe's Acrobat and Reader programs.



In its advisory, Microsoft says the following:

"In order to enable EMET for Adobe Reader and Acrobat you have to install EMET and run the following simple command line as an Administrator. Please note the path to the Adobe Reader and Acrobat could be different in your system (especially if you are not using a 64 bit system).

C:\Program Files (x86)\EMET>emet_conf.exe --add "c:\program files (x86)\Adobe\Reader 9.0\Reader\acrord32.exe"

The changes you have made may require restarting one or more applications

EMET supports both 32- and 64-bit applications and activates specific protection mechanisms in compiled binaries. It adds the following mitigations to applications that do not support them natively:

• Structured Error Handling Overwrite Protection (SEHOP) prevents Structured Exception Handling (SEH) overwrite exploitation by performing SEH chain validation.
• Dynamic Data Execution Prevention marks portions of a process’s memory non-executable, making it difficult to exploit memory corruption vulnerabilities.
• NULL page allocation allocates the first page of memory before program initialization and blocks attackers from taking advantage of NULL references in user mode.
• Heap Spray Allocation pre-allocates memory addresses to block common attacks that fill a process’s heap with specially crafted content.
• Mandatory address space layout randomization (ASLR), as well as non-ASLR-aware modules on Windows Vista, Windows Server 2008 and Windows 7.
• Export address table (EAT) uses hardware breakpoints to filter access to the EAT of kernel32.dll and ntdll.dll, blocks access if the instruction pointer is not inside a module, and breaks current common metasploit shellcodes.