Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

Summary: Microsoft is pushing its new Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation for the ongoing attacks against a zero-day vulnerability in Adobe's PDF Reader/Acrobat products.

SHARE:
TOPICS: Microsoft
17

Microsoft is pushing its new Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation for the ongoing attacks against a zero-day vulnerability in Adobe's PDF Reader/Acrobat products.

The EMET utility, which effectively backports anti-exploit mitigations like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) to older versions of Windows, would force the relocation of non ASLR-aware DLLs in Adobe's products.

Microsoft ships anti-exploit tool for IT admins ]

follow Ryan Naraine on twitter

Adobe Reader and Acrobat products ship with a DLL (icucnv36.dll) that doesn't have ASLR turned on. Without ASLR, this DLL is always going to be loaded at a predictable address and can be leverage by an exploit.

However, on Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008, the DLL would be forced into a new address.

The exploit will then fail to use ROP successfully since it is expecting the DLL to be at a predictable location.

New Adobe PDF zero-day under attack ]

As previously reported, the zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Windows and a signed digital certificate belonging to a U.S. credit union.

Adobe has released an alert to confirm the vulnerability and active attacks and now confirms that Microsoft's EMET can be used as a temporary mitigation.

EMET supports both 32- and 64-bit applications and activates specific protection mechanisms in compiled binaries. It adds the following mitigations to applications that do not support them natively:

  • Structured Error Handling Overwrite Protection (SEHOP) prevents Structured Exception Handling (SEH) overwrite exploitation by performing SEH chain validation.
  • Dynamic Data Execution Prevention marks portions of a process’s memory non-executable, making it difficult to exploit memory corruption vulnerabilities.
  • NULL page allocation allocates the first page of memory before program initialization and blocks attackers from taking advantage of NULL references in user mode.
  • Heap Spray Allocation pre-allocates memory addresses to block common attacks that fill a process’s heap with specially crafted content.
  • Mandatory address space layout randomization (ASLR), as well as non-ASLR-aware modules on Windows Vista, Windows Server 2008 and Windows 7.
  • Export address table (EAT) uses hardware breakpoints to filter access to the EAT of kernel32.dll and ntdll.dll, blocks access if the instruction pointer is not inside a module, and breaks current common metasploit shellcodes.

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

    I started using EMET 2.0 when it was released in the past week since I understand <i>arbitrary code execution</i> attacks (<i>You mean I got p0wned from watching a video on the web? -Joe Average</i> <b>Yes.</b>). Therefore what EMET brought to the table was not lost on me. In fact, I had been waiting for its release for several weeks after seeing the video Microsoft released some weeks ago.<br><br>What surprises me however is why, despite exploits for Adobe's products continually surfacing, they have not made a concerted effort to recompile their product with various mitigating technologies such as ASLR.<br><br>As someone who used to write software I'm fully aware of all the regression testing, QA and the potential cost of such an endeavor, e.g., putting the development team(s) to work on re-architecting vs. adding <i>great new features</i>. I'm sure the new Microsoft compiler will toss errors whereas the old one didn't and/or the app (PDF, Flash) will break in various ways (that's why you use a bug tracking tool). <br><br>Yes, all this would be time consuming but <b>guess what? Adobe should make it their top priority so as to protect their <u>brand</u>.</b><br><br>-M
    betelgeuse68
  • Available for Win XP?

    Is this EMET available for Win XP? (I have WinXPPro SP3.) If yes, just normal Windows Update?
    glnz
    • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

      @glnz

      Link to the download.
      http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04&displayLang=en

      They have a good 20 minute video that explains how it works as well.
      http://technet.microsoft.com/en-us/security/ff859539.aspx
      Admin71
      • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

        @Bookmark71 Thanks for the links I was about to ask so thank you again
        Par-Pro
    • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

      @glnz

      Apparently doesn't work on Windows XP SP3. I've installed it and it shows that DEP is opt-in. I added Acrobat Reader to the protection list, started it and get no indicator in the "running with EMET" column. Tried the same with notepad with equal results. Rebooted the computer, same results. Installed on another Windows XP SP3 system, same results.

      Has worked fine on all the Windows 7 systems I've used EMET for protecting Acrobat Reader.
      Boomslang
      • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

        @Boomslang

        I'm not sure why it doesn't appear however from a command prompt you can type emet_conf --list and a list of programs it's controlling will display. You will have to change to the c:\program files\emet directory before running the command unless you add the path to the command.
        Admin71
  • Too late

    Some of us are fiddlin' with Ubuntu parachutes. :p
    klumper
    • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

      @klumper
      Windows Virtual PC -> Ubuntu 8.04LTS
      though
      Firefox -> gPDF is a lot quicker...
      Boomslang
  • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

    What a hirarious long name. The user's guide is even more jargonian! The geekologists have run amok on this one. Truly, this toolkit is cutting edge: loss of PII is something on the mind of every computer user, they just don't know it yet!
    neivomonid
    • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

      @neivomonid
      And is clear as day in comparison to the piece on Technet that explains "reparse points".
      Boomslang
  • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

    Mitigate?? What does that mean. Should we all install the download on win7 machines? 32 bit ANd 64 bit? What about Vista? Should we use something from Open Office instead of Adobe PDF viewer?? GET CLEAR !!!
    pessimist
    • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

      @pessimist
      Yes
      Boomslang
  • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

    Or just use Foxit Free Reader?
    bill@...
  • Better solution ....

    Don't use Adobe Reader. There are plenty of good free PDF readers to be stuck with the bloated piece of cr@p.

    Foxit reader is one example of many.
    wackoae
  • EMET unavailable for download

    All download links to EMET v2.0 that I could find return HTTP 404. C'mon Microsoft, get it together.

    Does anyone have a working link?
    kumitato
    • RE: Microsoft's anti-exploit toolkit can help mitigate PDF zero-day attacks

      @kumitato The link provided by Bookmark71 worked for me.
      Downloaded and installed, took about 5 minutes to figure out how to add adobe reader and check that it was added.

      I'm running XPsp3. No issues with the install.
      Alzie
  • Works now

    Indeed, the link works now. It was broken for a while.
    kumitato