Adobe Reader Fault: Microsoft blocks the attack
To protect Windows users from an attack via a vulnerability in Adobe Reader, Microsoft recommends their free EMET security tool.
Adobe recently published a security warning about a 0-day fault in Adobe Reader (and Acrobat). This fault has already been exploited through what Secunia classifies as an "extremely critical" attack. While waiting for a security patch to correct the issue, Adobe hasn’t provided a bypass protection measure, with their recommendation being to update the Adobe software when possible, while also implementing the solution provided by Microsoft.
To prevent the vulnerability from being exploited, Microsoft recommends using the Enhanced Mitigation Evaluation Toolkit (EMET), a free security tool which was released as version 2.0 at the beginning of the month.
According to Microsoft, EMET will block the currently circulating exploitation while also protecting Windows Data Execution Prevention (DEP) which prevents an application or service from being executed from code located in a non-executable memory space. To get around DEP, the exploit calls on the Return Oriented Programming technique (ROP).
This ROP technique uses the call layer to point towards a function in a software library whose address is known. Indirect access to an executable zone will be obtained through this mechanism, with this PDF exploitation being based on the icucnv36.dll software library which is used by Adobe Reader, in which the ASLR (Address Space Layout Randomization) isn’t active. Without the ASLR, this DLL is responsible for loading a predetermined address which allows the exploitation to be used.
With EMET, it is possible to call on the Mandatory ASLR to force the DLL to use a different address (unknown to the exploitation), which therefore blocks the exploitation under Windows Vista and 7 (Server 2008 and 2008 R2 as well). Windows XP (and Server 2003) doesn’t have ASLR protection, therefore making Mandatory ASRL obligatory. Another technique is also included in the EMET upgrade which will also block this exploit.
For the user, to activate EMET for Adobe Reader (see Microsoft’s explanations), you will have to install this free tool and then run the following command line: C:\Program Files (x86)\EMET>emet_conf.exe --add "c:\program files (x86)\Adobe\Reader 9.0\Reader\acrord32.exe"
Not widely known, EMET proves its usefulness in this case. For Adobe, some security researchers find it unfortunate that ASLR’s activation isn’t prevented in icucnv36.dll, with the software editor easily preventing the attacks if this was done. More than ever before, the new version of Adobe Reader with the sandbox technology is anticipated by users.
|Previous news||Next news|
|Office for Mac 2011 released as RTM||Unified communications: Microsoft Lync 2010|