Microsoft and Adobe Systems say Microsoft's Enhanced Mitigation Experience Toolkit 2.0 can help protect users against attackers targeting a bug in Adobe Reader and Acrobat.
Adobe Reader and Acrobat users on Windows machines now have a potential
shield available to protect them from attackers targeting a zero-day
vulnerability.
Microsoft and Adobe Systems announced
Sept. 10 that the latest edition of Microsoft's
Enhanced
Mitigation Experience Toolkit can be used to block attacks. The
announcement followed reports that an exploit currently in the wild can
bypass Microsoft's data execution prevention feature using a technique known as
ROP (return-oriented programming).
"Normally
Address Space Layout Randomization (ASLR) would help prevent successful
exploitation," said a post on Microsoft's Security Research & Defense
blog. "However, this product ships with a DLL (icucnv36.dll) that doesn't
have ASLR turned on. Without ASLR, this DLL is always going to be loaded
at a predictable address and can be leverage by an exploit."
EMET
2.0 blocks the exploit by deploying mandatory ASLR as well as export
address table access filtering, Microsoft said.
Adobe
has said little about the technical
details
of the vulnerability. However, in an advisory,
Secunia identified the Reader
and Acrobat vulnerability as arising from "a boundary error within
CoolType.dll when processing the 'uniqueName' entry of SING tables in fonts ...
[The bug] can be exploited to cause a stack-based buffer overflow by e.g. tricking
a user into opening a malicious PDF file containing a specially crafted
embedded font."
The vulnerability affects Adobe Reader 9.3.4 and earlier versions for
Windows, Macintosh and Unix, and Adobe Acrobat 9.3.4 and earlier versions for
Windows and Macintosh.
Though both Microsoft and Adobe suggested
users
try EMET, the companies added that only limited testing of "the
functional compatibility of this mitigation" has been done, and
recommended users test the mitigation in their own environments.
Adobe has said it plans to patch the vulnerability, but has not given a firm
date for when that will happen.
Email
Print
