|
Handler Daniel wrote a story abot Enhanced Mitigation Experience Toolkit (EMET) in september 2. Microsoft wrote a very interesting paper explaining how EMET can successfuly block Adobe Reader and Acrobat 0-day exploit. More information at http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx More details about EMET at http://technet.microsoft.com/en-us/security/ff859539.aspx -- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org |
Manuel Humberto Santander Pelaacuteez 193 Posts ISC Handler Sep 13th 2010 |
| Subscribe |
Sep 13th 2010 9 years ago |
|
So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits.
On Windows 7 EMET applies all the protections to Acrobat Reader. On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected) On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?) Well, its cross your fingers and hope time... |
Anonymous |
| Quote |
Sep 13th 2010 9 years ago |
|
... and you need to have .NET 2.0 just to install EMET.
Good luck with that. . |
Jack 160 Posts |
| Quote |
Sep 13th 2010 9 years ago |
|
Actually, I found a way to totally block this 0 day by using WMI! It'll even block the other 200 Flash and Reader exploits that MOAUB has yet to announce!
c:> WMIC wmic:root\cli> product where "name like 'Adobe%'" call uninstall Problem fixed. |
Steven 42 Posts |
| Quote |
Sep 13th 2010 9 years ago |
|
@Steven
While that thought has crossed my mind... I'd rather not get lynched by the accounting department when their flow of invoices becomes unreadable... And Macs don't crash... unless you're trying to get work done with Adobe products. ;^0 |
Steven 57 Posts |
| Quote |
Sep 13th 2010 9 years ago |
|
the link in the article above points to http://blogs.technet.com/b/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx
the download link on that page: http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0x409 takes you to a page that says: Sorry, no results found for: downloads en details aspx FamilyID c6f0a6ee 05ac 4eb6 acd0 362559fd2f04 displayLang en so it seems to be unavailable at present |
Dave 3 Posts |
| Quote |
Sep 14th 2010 9 years ago |
|
3pm UK time, the link seems to be working again
|
Dave 3 Posts |
| Quote |
Sep 14th 2010 9 years ago |
|
Update on the non-working Windows XP SP3 installs, apparently the 2.0.0.1 release was announced before Microsoft download started serving it out. I downloaded during that time period and got 2.0.0.0 instead.
You can tell if you have the new version by looking at the shim DLLs which should have the newer version number. And by the fact that your protected stuff now shows a check mark. |
Dave 57 Posts |
| Quote |
Sep 16th 2010 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!
