Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Enhanced Mitigation Experience Toolkit can block Adobe 0-day exploit - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Enhanced Mitigation Experience Toolkit can block Adobe 0-day exploit

Handler Daniel wrote a story abot Enhanced Mitigation Experience Toolkit (EMET) in september 2. Microsoft wrote a very interesting paper explaining how EMET can successfuly block Adobe Reader and Acrobat 0-day exploit.

More information at

More details about EMET at 

-- Manuel Humberto Santander Peláez | | | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler
Sep 13th 2010
So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits.

On Windows 7 EMET applies all the protections to Acrobat Reader.

On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected)

On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?)

Well, its cross your fingers and hope time...
... and you need to have .NET 2.0 just to install EMET.
Good luck with that.

160 Posts
Actually, I found a way to totally block this 0 day by using WMI! It'll even block the other 200 Flash and Reader exploits that MOAUB has yet to announce!

c:> WMIC
wmic:root\cli> product where "name like 'Adobe%'" call uninstall

Problem fixed.

42 Posts
While that thought has crossed my mind...
I'd rather not get lynched by the accounting department when their flow of invoices becomes unreadable...
And Macs don't crash... unless you're trying to get work done with Adobe products. ;^0
57 Posts
the link in the article above points to

the download link on that page:
takes you to a page that says:
Sorry, no results found for: downloads en details aspx FamilyID c6f0a6ee 05ac 4eb6 acd0 362559fd2f04 displayLang en

so it seems to be unavailable at present

3 Posts
3pm UK time, the link seems to be working again

3 Posts
Update on the non-working Windows XP SP3 installs, apparently the release was announced before Microsoft download started serving it out. I downloaded during that time period and got instead.

You can tell if you have the new version by looking at the shim DLLs which should have the newer version number. And by the fact that your protected stuff now shows a check mark.
57 Posts

Sign Up for Free or Log In to start participating in the conversation!