Enhanced Mitigation Experience Toolkit can block CVE-2010-2883 exploit

Published: 2010-09-13
Last Updated: 2010-09-13 14:11:27 UTC
by Manuel Humberto Santander Pelaez (Version: 2)
7 comment(s)

Handler Daniel wrote a story abot Enhanced Mitigation Experience Toolkit (EMET) in september 2. This tool can be used now to successfuly block Adobe Reader and Acrobat CVE-2010-2883 exploit. More information at http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx

More details about EMET at http://technet.microsoft.com/en-us/security/ff859539.aspx 

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

7 comment(s)


So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits.

On Windows 7 EMET applies all the protections to Acrobat Reader.

On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected)

On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?)

Well, its cross your fingers and hope time...
... and you need to have .NET 2.0 just to install EMET.
Good luck with that.
Actually, I found a way to totally block this 0 day by using WMI! It'll even block the other 200 Flash and Reader exploits that MOAUB has yet to announce!

c:> WMIC
wmic:root\cli> product where "name like 'Adobe%'" call uninstall

Problem fixed.
While that thought has crossed my mind...
I'd rather not get lynched by the accounting department when their flow of invoices becomes unreadable...
And Macs don't crash... unless you're trying to get work done with Adobe products. ;^0
the link in the article above points to http://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx

the download link on that page:
takes you to a page that says:
Sorry, no results found for: downloads en details aspx FamilyID c6f0a6ee 05ac 4eb6 acd0 362559fd2f04 displayLang en

so it seems to be unavailable at present
3pm UK time, the link seems to be working again
Update on the non-working Windows XP SP3 installs, apparently the release was announced before Microsoft download started serving it out. I downloaded during that time period and got instead.

You can tell if you have the new version by looking at the shim DLLs which should have the newer version number. And by the fact that your protected stuff now shows a check mark.

Diary Archives