Jump to content

[EMET] Adobe Reader 11


Recommended Posts

Adobe Reader 11 protected mode and MBAE do not seem to be happy bed-fellows.  I have in mind Windows XP with EMET 2.1 where my priority is to protect Opera 12 and Adobe Reader 11.0.5.  We have two old Dell laptops which hold no secrets and are not used for sensitive stuff and  we intend to continue using them after April 2014.  They are paid for.  MBAE (even in Beta) is seen as a way of hardening them up a bit.

 

As an aside, I have found that Office 97, that's 1897 I think  :-) , is not recognised by MBAE.

Link to post
Share on other sites

I should add that protected mode is OK with MBAE on some XP machines but it is on others.  The problem manifests itself by Adobe Reader not staring properly.  It seems to hang before the GUI appears.  Killing the process in task manager seems to help the next attempt to start Reader in protected mode but subsequent attempts to run Reader result in the problem resuming.

 

It seems not to matter if EMET is installed.  I have one system where EMET 4.1 is in all its glory with deep hooks and Reader works in protected mode without trouble.  On another  I have EMET 2.1 and again Reader works with protected mode enabled.  Reader always works with proted mode disabled.

Link to post
Share on other sites

As an aside, I have found that Office 97, that's 1897 I think  :-) , is not recognised by MBAE.

 

Just between you and me I think Windows98/ME barely recognized M$OFFICE 97.. ;)

 

Sorry; couldn't resist as I still have my M$OFFICE 97 software in my collection right next to ENCARTA 98 . :P:D

 

Steve

Link to post
Share on other sites

I think I wrote my contributions while drunk.  No, that can't be right.  I'm a total abstainer.   :wacko:

 

My corrected observations about Adobe Reader 11 and EMET:  Reader protected mode and an entry in EMET (any version) are incompatible.  If you want protected mode (who doesn't?), remove AcroRd32.exe from EMET.

 

in addition to Office (18)97, I use Acrobat 6 Pro.  MBAE recognises this but I need to uncheck SimEx and stack pivot options for Acrobat to work.  Furthermore, I need to remove acrobat.exe from EMET, install MBAE then add acrobat.exe back into EMET with the last 2 check boxes unticked in the cases of EMET4 or later.

 

I have quite a few legacy apps in my XP system.  They are there because they are very useful.  Rather Office (18)97 than Office 2007 or later.  I only wish that there were an Office (17)97.   :D

Link to post
Share on other sites

Tested under W8 x64 and Acrobat Reader with max protected mode works perfectly with MBAE 0.09.4.2000.

 

As for the Acrobat 6 Pro (acrobat.exe) with EMET+MBAE issue, do you have DeepHooks enabled by any chance?

post-141843-0-64171600-1387188448_thumb.

Link to post
Share on other sites
I have quite a few legacy apps in my XP system.  They are there because they are very useful.  Rather Office (18)97 than Office 2007 or later.  I only wish that there were an Office (17)97.   :D

 

They do; it's called Microsoft Works. :D:lol::D

 

*sigh* Remember when OEM installed OSes actually came with included, ACTIVATED, versions of Office and such??  I use LibreOffice now..

 

Cheers,

Steve

 

EDIT: Hmmm.. I found my WordPerfect 3.5 diskettes and my DOS 6.0 3.5 diskettes.. It's like a trip through time altho' the wife made me dump all my Apple/IBM 1980s software (and hardware) when I retired.. *sigh* I had THREE Apples; a ][, a ][+ and a //e and associated peripherals including a ZipChip 8.. Have you seen auction prices lately??  :(  :(  :( 

Edited by ShyWriter
Link to post
Share on other sites

Acrobat Pro 6 stalls when it gets to loading Escript.api.  This is when it is enabled in EMET 4.1.  Deep Hooks seems irrelevant.  Simply having entries in EMET for either Reader 11 or Acrobat 6 prevents them from running.  When the respective entries in EMET are removed, Reader 11 and Acrobat 6 work as they should.  This seems to apply to all versions of EMET (I can only speak for EMET version 2.1 and later).

Link to post
Share on other sites

Further to that, Acrobat Pro 6 runs fine when all mitigations for that application except EAF are enabled in EMET 4.1 with Deep Hooks enabled.  There might be different behaviour on other systems than Windows XP SP3.

Link to post
Share on other sites

Just to say I am finding alot of useful information in this thread, thnx hake.

imho, I think emet is an extremely useful and I've found 'effective' protection agent.

I would definitely like to see mbae and emet side by side with no conflict .

:)

Link to post
Share on other sites

In Windows 7 (SP1 64bit), Adobe Reader 11 works fine in protected mode when it is also protected by EMET.

 

I have found that some EMET, notably EAF, mitigations often need to be turned off in 32bit Windows XP but may be used with Windows 7.  An example is Google Chrome where the EAF EMET mitigation must be unchecked in Windows XP, otherwise Google Chrome refuses to work, whereas in Windows 7 EAF mitigation may be enabled for Chrome.

 

I am very pleased with Anti-Exploit and use it on all my systems where the web browser is recognised by Anti-Exploit (this excludes my online banking machine where I use Comodo Dragon).  It's nice to use security which does not impair performance or cause problems.  I installed Anti-Exploit of two Windows 7 64bit systems.  One was successful but the other was not, a difficulty with getting the system tray icon to display (mbae.exe was running) persuaded me to uninstall Anti-Exploit.  I have noticed that a little gentle persuasion is needed to make the Anti-Exploit UI run from startup after installation.  Once it's starting routinely, it is no further trouble.

 

I have noticed that this beta release does not recognise Office 2007 on Windows 7.  Web browsers, Java (Internet facing) and Adobe Acrobat/Reader are definitely recognised by Anti-Exploit.  I like the possibility of protection for the scripting host but have not been able to verify if this is operational.

Link to post
Share on other sites

 

I have noticed that this beta release does not recognise Office 2007 on Windows 7. 

 

The issue with Office not showing up in the logs is known, but it is still protected by MBAE, even if they don't show up in the LOGS tab.

 

Cheers!

Link to post
Share on other sites

As far as my XP SP3 system is concerned, I still need to remove Adobe Reader 11 from EMET 4.1 for it to run in protected mode.  I have tried disabling 'deep hooks' but to no avail.

 

However, Acrobat 6 Pro no longer requires the EMET EAF mitigation to be disabled.

 

Does Anti-Exploit protect Office 97 apps?

Link to post
Share on other sites

The executables in question are in C:\Program Files\Microsoft Office\Office\

The filenames are winword.exe and EXCEL.EXE (as displayed by Explorer).


Thanks

Link to post
Share on other sites
  • 3 weeks later...

I have at last dipped my toe into Windows 7 (32bit) and find that on this very fresh installation of Win 7 that Adobe Reader 11 is able to run in protected mode and be mitigated by EMET 4.1 with Deep Hooks activated.  This is in contrast to Win XP SP3 (32bit) where this has not been found possible in my (limited) experience.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.