Enhanced Mitigation Experience Toolkit can block Adobe 0-day exploit

Enhanced Mitigation Experience Toolkit can block Adobe 0-day exploit
Handler Daniel wrote a story abot Enhanced Mitigation Experience Toolkit (EMET) in september 2. Microsoft wrote a very interesting paper explaining how EMET can successfuly block Adobe Reader and Acrobat 0-day exploit. More information at http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx More details about EMET at http://technet.microsoft.com/en-us/security/ff859539.aspx -- Manuel Humberto Santander Peláez \| http://twitter.com/manuelsantander \| http://manuel.santander.name \| msantand at isc dot sans dot org	Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Sep 13th 2010
Thread locked Subscribe	Sep 13th 2010 1 decade ago
So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits. On Windows 7 EMET applies all the protections to Acrobat Reader. On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected) On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?) Well, its cross your fingers and hope time...	Anonymous
Quote	Sep 13th 2010 1 decade ago
... and you need to have .NET 2.0 just to install EMET. Good luck with that. .	Jack 160 Posts
Quote	Sep 13th 2010 1 decade ago
Actually, I found a way to totally block this 0 day by using WMI! It'll even block the other 200 Flash and Reader exploits that MOAUB has yet to announce! c:> WMIC wmic:root\cli> product where "name like 'Adobe%'" call uninstall Problem fixed.	Steven 42 Posts
Quote	Sep 13th 2010 1 decade ago
@Steven While that thought has crossed my mind... I'd rather not get lynched by the accounting department when their flow of invoices becomes unreadable... And Macs don't crash... unless you're trying to get work done with Adobe products. ;^0	Steven 57 Posts
Quote	Sep 13th 2010 1 decade ago
the link in the article above points to http://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx the download link on that page: http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0x409 takes you to a page that says: Sorry, no results found for: downloads en details aspx FamilyID c6f0a6ee 05ac 4eb6 acd0 362559fd2f04 displayLang en so it seems to be unavailable at present	Dave 3 Posts
Quote	Sep 14th 2010 1 decade ago
3pm UK time, the link seems to be working again	Dave 3 Posts
Quote	Sep 14th 2010 1 decade ago
Update on the non-working Windows XP SP3 installs, apparently the 2.0.0.1 release was announced before Microsoft download started serving it out. I downloaded during that time period and got 2.0.0.0 instead. You can tell if you have the new version by looking at the shim DLLs which should have the newer version number. And by the fact that your protected stuff now shows a check mark.	Dave 57 Posts
Quote	Sep 16th 2010 1 decade ago