Background on the exploit

As you probably know there is a new exploit in the wild for Adobe Reader and Acrobat. This particular exploit is using the Return Oriented Programming (ROP) exploit technique in order to bypass Data Execution Prevention (DEP).

 

Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation.  However, this product ships with a DLL (icucnv36.dll) that doesn’t have ASLR turned on.  Without ASLR, this DLL is always going to be loaded at a predictable address and can be leverage by an exploit.  In the below screenshot we use Process Explorer to show what this looks like.

 

  

 

Find more information on the importance of enabling ASLR in your products at http://msdn.microsoft.com/en-us/library/bb430720.aspx.

 

How EMET 2.0 blocks the exploit

The good news is that if you have the Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, it blocks this exploit.  This is happens thanks to two different mitigations:

 

Mandatory ASLR: On Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 this mitigation will force the relocation of non ASLR-aware DLLs. The exploit will then fail to use ROP successfully since it is expecting the DLL to be at a predictable location.  Take a look at the below screenshot from Process Explorer to see what this looks like.

 

 

 

Export Address Table Access Filtering (EAF): The exploit is also blocked by the EAF mitigation.  This is important for Windows XP and Windows Server 2003 because they do not support mandatory ASLR. With this mitigation in place EMET will detect the shellcode accessing the EAT of Kernel32.dll trying to resolve some APIs (e.g. LoadLibraryA). EMET will then raise a STATUS_STACK_BUFFER_OVERRUN unhandled exception and the program will be terminated before the shellcode does anything bad.

 

How to enable EMET for Adobe Reader

In order to enable EMET for Adobe Reader and Acrobat you have to install EMET and run the following simple command line as an Administrator. Please note the path to the Adobe Reader and Acrobat could be different in your system (especially if you are not using a 64 bit system).

 

C:\Program Files (x86)\EMET>emet_conf.exe --add "c:\program files (x86)\Adobe\Reader 9.0\Reader\acrord32.exe"

 

The changes you have made may require restarting one or more applications

 

We have been working closely with the Adobe Secure Software Engineering Team (ASSET) on recommending EMET as a mitigation option. Due to the time-sensitive nature of this issue, we have only been able to perform a cursory look at the functional compatibility of this mitigation. Keep in mind, Adobe Reader and Acrobat support broad feature sets, which require extensive testing to fully cover all functionality. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.  Please refer to Adobe's guidance regarding EMET under the Mitigations section of their Security Advisory.

 

New updates to EMET 2.0

Also, last week we made available version 2.0 of EMET on this blog post. We would like to thank all the people that gave it a try it and sent us feedback. Today we are releasing an updated version of EMET (2.0.0.1) with some bug fixes.  The download for the old version has been replaced with the new version and can be obtained here.

The following are the changes you can find in the new version:

  • The DEP mitigation is now enabled with the ATL thunk emulation for better compatibility.
  • The GUI does a better job of handling situations where a process tries to block it from determining if DEP enabled or disabled for that process. Previously, the GUI crashed in certain scenarios with programs such as Antivirus and Intrusion Prevention Systems.
  • EMET now correctly protects applications launched with 8.3 filenames.
  • Enhancements have been made to EMET running on Windows XP to support more 3rd party applications. Previously, there where situations where the protections could fail to protect certain applications.

 

As always, we welcome your feedback and would like to hear more about your experiences with EMET.  Please feel free to e-mail us at switech@microsoft.com

 

- Fermin J. Serna and Andrew Roths

  

Updated September 14, 2010 - In certain Windows XP configurations, users have encountered problems where several applications configured for use with EMET do not get protected by EMET.  When this happens you will see that the process does not have a check mark under the "Running EMET" column of the main application.  If you have encountered this issue, please download the latest version of the tool which addresses this problem.