Friday, September 10, 2010

Use EMET 2.0 to Block Adobe Reader and Acrobat 0-Day Exploit

http://www.adobe.com/support/security/advisories/apsa10-02.html

Mitigations

Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.

---------------------------------------------------------------------------

http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx

As you probably know there is a new exploit in the wild for Adobe Reader and Acrobat. This particular exploit is using the Return Oriented Programming (ROP) exploit technique in order to bypass Data Execution Prevention (DEP).

[...]

The good news is that if you have the Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, it blocks this exploit. This is happens thanks to two different mitigations:

Mandatory ASLR: On Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 this mitigation will force the relocation of non ASLR-aware DLLs. The exploit will then fail to use ROP successfully since it is expecting the DLL to be at a predictable location. Take a look at the below screenshot from Process Explorer to see what this looks like.

Export Address Table Access Filtering (EAF)
: The exploit is also blocked by the EAF mitigation. This is important for Windows XP and Windows Server 2003 because they do not support mandatory ASLR. With this mitigation in place EMET will detect the shellcode accessing the EAT of Kernel32.dll trying to resolve some APIs (e.g. LoadLibraryA). EMET will then raise a STATUS_STACK_BUFFER_OVERRUN unhandled exception and the program will be terminated before the shellcode does anything bad.

[...]

We have been working closely with the Adobe Secure Software Engineering Team (ASSET) on recommending EMET as a mitigation option. Due to the time-sensitive nature of this issue, we have only been able to perform a cursory look at the functional compatibility of this mitigation. Keep in mind, Adobe Reader and Acrobat support broad feature sets, which require extensive testing to fully cover all functionality. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.

No comments:

Post a Comment