Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

Summary:Microsoft is pushing its new Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation for the ongoing attacks against a zero-day vulnerability in Adobe's PDF Reader/Acrobat products.

Microsoft is pushing its new Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation for the ongoing attacks against a zero-day vulnerability in Adobe's PDF Reader/Acrobat products.

The EMET utility, which effectively backports anti-exploit mitigations like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) to older versions of Windows, would force the relocation of non ASLR-aware DLLs in Adobe's products.

Microsoft ships anti-exploit tool for IT admins ]

follow Ryan Naraine on twitter

Adobe Reader and Acrobat products ship with a DLL (icucnv36.dll) that doesn't have ASLR turned on. Without ASLR, this DLL is always going to be loaded at a predictable address and can be leverage by an exploit.

However, on Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008, the DLL would be forced into a new address.

The exploit will then fail to use ROP successfully since it is expecting the DLL to be at a predictable location.

New Adobe PDF zero-day under attack ]

As previously reported, the zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Windows and a signed digital certificate belonging to a U.S. credit union.

Adobe has released an alert to confirm the vulnerability and active attacks and now confirms that Microsoft's EMET can be used as a temporary mitigation.

EMET supports both 32- and 64-bit applications and activates specific protection mechanisms in compiled binaries. It adds the following mitigations to applications that do not support them natively:

  • Structured Error Handling Overwrite Protection (SEHOP) prevents Structured Exception Handling (SEH) overwrite exploitation by performing SEH chain validation.
  • Dynamic Data Execution Prevention marks portions of a process’s memory non-executable, making it difficult to exploit memory corruption vulnerabilities.
  • NULL page allocation allocates the first page of memory before program initialization and blocks attackers from taking advantage of NULL references in user mode.
  • Heap Spray Allocation pre-allocates memory addresses to block common attacks that fill a process’s heap with specially crafted content.
  • Mandatory address space layout randomization (ASLR), as well as non-ASLR-aware modules on Windows Vista, Windows Server 2008 and Windows 7.
  • Export address table (EAT) uses hardware breakpoints to filter access to the EAT of kernel32.dll and ntdll.dll, blocks access if the instruction pointer is not inside a module, and breaks current common metasploit shellcodes.

Topics: Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.