Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Enhanced Mitigation Experience Toolkit can block Adobe 0-day exploit - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Enhanced Mitigation Experience Toolkit can block Adobe 0-day exploit

Handler Daniel wrote a story abot Enhanced Mitigation Experience Toolkit (EMET) in september 2. Microsoft wrote a very interesting paper explaining how EMET can successfuly block Adobe Reader and Acrobat 0-day exploit.

More information at http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx

More details about EMET at http://technet.microsoft.com/en-us/security/ff859539.aspx 

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits.

On Windows 7 EMET applies all the protections to Acrobat Reader.

On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected)

On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?)

Well, its cross your fingers and hope time...
Anonymous
... and you need to have .NET 2.0 just to install EMET.
Good luck with that.
.
Jack

160 Posts
Actually, I found a way to totally block this 0 day by using WMI! It'll even block the other 200 Flash and Reader exploits that MOAUB has yet to announce!

c:> WMIC
wmic:root\cli> product where "name like 'Adobe%'" call uninstall

Problem fixed.
Steven

42 Posts
@Steven
While that thought has crossed my mind...
I'd rather not get lynched by the accounting department when their flow of invoices becomes unreadable...
And Macs don't crash... unless you're trying to get work done with Adobe products. ;^0
Steven
57 Posts
the link in the article above points to http://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx

the download link on that page:
http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0x409
takes you to a page that says:
Sorry, no results found for: downloads en details aspx FamilyID c6f0a6ee 05ac 4eb6 acd0 362559fd2f04 displayLang en

so it seems to be unavailable at present
Dave

3 Posts
3pm UK time, the link seems to be working again
Dave

3 Posts
Update on the non-working Windows XP SP3 installs, apparently the 2.0.0.1 release was announced before Microsoft download started serving it out. I downloaded during that time period and got 2.0.0.0 instead.

You can tell if you have the new version by looking at the shim DLLs which should have the newer version number. And by the fact that your protected stuff now shows a check mark.
Dave
57 Posts

Sign Up for Free or Log In to start participating in the conversation!