Microsoft's EMET mitigates Adobe Acrobat, Reader attacks

Stephen Withers
Monday, 13 September 2010 10:32

Business IT - Security

The 0day exploit for Adobe Acrobat and Reader can be mitigated by a free tool from Microsoft, according to officials at the two companies.

Last week, Adobe warned of a critical vulnerability in Acrobat and Reader that is being actively exploited. More information has now come to light about the issue.

According to Websense, the vulnerability is in a CoolType routine that fails to check that a supposedly null-terminated string really is. This can be used in a malicious PDF document to cause a stack overflow, which would cause the application to crash or execute arbitrary code.

While CoolType has been compiled with the /GS and /SAFESEH parameters to block straightforward methods of manipulating the return address to execute the payload, the icucnv.dll library also used by Acrobat and Reader does not take advantage of address space layout randomisation (ASLR). This allows an attacker to write code using a technique called return oriented programming to get around the defences.

Microsoft has pointed out that EMET 2.0 (the latest version of Microsoft's Enhanced Mitigation Experience Toolkit) can be used to force ASLR for software that isn't inherently ASLR-aware.

However, this only works on Windows 7, Vista and Server 2008. EMET's export address table access filtering mitigation also works to protect against the Acrobat/Reader exploit on XP and Server 2003 by detecting attempts to access Kernel32.dll's export address table.

CONTINUED