Microsoft Tool Protects Against Adobe Zero-Day Exploit

Adobe Reader and Acrobat users on Windows machines now have a potential shield available to protect them from attackers targeting a zero-day vulnerability.

Microsoft and Adobe Systems announced on 10 September that the latest edition of Microsoft’s Enhanced Mitigation Experience Toolkit can be used to block attacks. The announcement followed reports that an exploit currently in the wild can bypass Microsoft’s data execution prevention feature using a technique known as ROP (return-oriented programming).

“Normally Address Space Layout Randomisation (ASLR) would help prevent successful exploitation,” said a post on Microsoft’s Security Research & Defence blog. “However, this product ships with a DLL (icucnv36.dll) that doesn’t have ASLR turned on. Without ASLR, this DLL is always going to be loaded at a predictable address and can be leverage by an exploit.”

Reader, Acrobat flaws

EMET 2.0 blocks the exploit by deploying mandatory ASLR as well as export address table access filtering, Microsoft said.

Adobe has said little about the technical details of the vulnerability. However, in an advisory, Secunia identified the Reader and Acrobat vulnerability as arising from “a boundary error within CoolType.dll when processing the ‘uniqueName’ entry of SING tables in fonts … [The bug] can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a malicious PDF file containing a specially crafted embedded font”.

The vulnerability affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and Unix, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

Though both Microsoft and Adobe suggested users try EMET, the companies added that only limited testing of “the functional compatibility of this mitigation” has been done, and recommended users test the mitigation in their own environments.

Adobe has said it plans to patch the vulnerability, but has not given a firm date for when that will happen.