Adobe 0 Day mitigation (September 2010)
I’m sure by now, if you’ve got any type of connection to anything computer related (using, working with or on, etc), you will probably have heard of the Adobe 0 Day vulnerability.
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.
For those of you that don’t know what a 0 day vulnerability is, it can be described as a vulnerability that was found and spread around to everyone immediately. Some vulnerabilities are given to the software creators, or found by the software creators, others are found by ‘black hats’ looking to make a buck or two, or just to cause mischief or serious problems. (A more detailed description over at SearchSecurity.com)
Don’t know who let this cat out of the bag (have to research that saying some time) but it’s out there and Adobe doesn’t have a fix yet. Yet. they plan on having fixes released to Adobe Flash by the last week of September and for Reader and Acrobat by the first week of October.
Well, Microsoft seems to have a mitigation for it already. Now, for those of you that know me (and maybe those of you that don’t), you may know that I’m NOT a fan of Micro$haft. But I’ll give them this much, at least they’re trying. Anyhow, they have something called the Enhanced Mitigation Experience Toolkit (EMET for short).
After the EMET is installed on the systems in your home/organization, the only thing necesarry to implement the mitigation is a simple command line (adjusted to meet your computers specific x86/x64 OS):
C:\Program Files (x86)\EMET>emet_conf.exe –add “c:\program files (x86)\Adobe\Reader 9.0\Reader\acrord32.exe”
If you have Acrobat on the system, it can also be done like so:
C:\Program Files (x86)\EMET>emet_conf.exe –add “c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe”
Other than doing the obligatory restart, nothing else is really needed.
There’s almost no configuration required when installing the actual EMET, it’s an MSI package that installs itself once the start command is given. To open it up, just go to the program menu and click on it. Once open, configure the apps you want to have controlled by EMET and away you go.
Before implementing this however, I suggest some serious testing. I’ve tested it so far on Vista SP1 and Vista SP2, Server 2003 and Server 2008 and have no issues with either Acrobat or Reader.
With my home setup, I’m not really running a lot of intense Adobe reliant stuff, so, don’t take my word for it, do the testing yourself.
A little bit of background on what the 0 Day is doing exactly (from Microsoft.com):
This particular exploit is using the Return Oriented Programming (ROP) exploit technique in order to bypass Data Execution Prevention (DEP).Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation. However, this product ships with a DLL (icucnv36.dll) that doesn’t have ASLR turned on. Without ASLR, this DLL is always going to be loaded at a predictable address and can be leverage by an exploit.
EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications. This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited. By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products. In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.
The installation package for EMET v2.0 includes a detailed user guide. It gives an overview of the tool, instructions on how to use it, answers to frequently asked questions, and caveats about the mitigations that users should be aware of. Please be sure to read the guide before using the tool.
- A Second Adobe 0-day Vulnerability In Just One Week (CVE-2010-2884) (community.websense.com)
- Yet Another Adobe Flash Unpatched Vulnerability Actively Exploited in the Wild (hackademix.net)
- Adobe Blocks PDF Exploit with Microsoft’s Help (pcworld.com)
- Adobe Hit By Yet Another Flash 0-day Exploit (ghacks.net)
- Microsoft’s anti-exploit toolkit can help mitigate PDF zero-day attacks (zdnet.com)