Enhanced Mitigation Experience (EMET) 2.0 Toolkit Blocks Adobe Reader and Acrobat 'Zero-day' Exploit

As you probably know a new "0–day" exploit in the wild for Adobe Reader and Acrobat, which's using Return Oriented Programming (ROP) technique in order to bypass Data Execution Prevention (DEP). Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation. However, this product ships with a DLL (icucnv36.dll) that doesn't have ASLR turned […]

As you probably know a new "0–day" exploit in the wild for Adobe Reader and Acrobat, which's using Return Oriented Programming (ROP) technique in order to bypass Data Execution Prevention (DEP). Normally Address Space Layout Randomization (ASLR) would help prevent successful exploitation. However, this product ships with a DLL (icucnv36.dll) that doesn't have ASLR turned on. Without ASLR, this DLL is always going to be loaded at a predictable address and can be leverage by an exploit (see pic).

Now, Microsoft's Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, it blocks this exploit.

In order to enable EMET for Reader and Acrobat, install EMET and run following command as an admin. Note; path to Reader and Acrobat could be different in your system (especially on 32 bit system): C:\Program Files (x86)\EMET>emet_conf.exe --add "c:\program files (x86)\Adobe\Reader 9.0\Reader\acrord32.exe" . The changes you've made may require restarting one or more applications.

[Source]