Adobe Acrobat 9 – Creamy Security Goodness (on Vista / WS2008)


So I noticed yesterday that Adobe had quietly released Acrobat 9 to the web.  I decided to download it and check it out to see if they had finally gotten a copy of memo (it’s just that we’re putting cover sheets on all of our TPS reports now) and decided to start opting in to some of the exploit prevention technologies we provide on Vista / WS2008 (like Apple has with QuickTime). 


Well folks – I am super pleased to report – Adobe has finally gotten serious and released a version of Acrobat that supports not only DEP in permanent mode – but also ASLR!  (Now if we could just convince people that Vista isn’t all the suck that the media hypes it up to be so that they would install it and get the benefit of ASLR).


So a huge round of applause for Adobe please – even though opting in to these features involves just a couple of additional linker switches – it’s certainly not that easy in reality and could have involved switching compilers, performing lots of additional testing, working with 3rd parties to make sure their additions / plug-ins still work or will work, etc. etc.


Anyhoo – here’s the gory details from the linker:
C:\Program Files (x86)\Adobe\Reader 9.0\Reader>dumpbin /headers AcroRd32.exe


Microsoft (R) COFF/PE Dumper Version 9.00.21022.08


Copyright (C) Microsoft Corporation.  All rights reserved.


 


 


Dump of file AcroRd32.exe


 


PE signature found


 


File Type: EXECUTABLE IMAGE


 


FILE HEADER VALUES


             14C machine (x86)


               5 number of sections


        4850F0A3 time date stamp Thu Jun 12 05:47:15 2008


               0 file pointer to symbol table


               0 number of symbols


              E0 size of optional header


             102 characteristics


                   Executable


                   32 bit word machine


 


OPTIONAL HEADER VALUES


             10B magic # (PE32)


            8.00 linker version


            4000 size of code


           4F000 size of initialized data


               0 size of uninitialized data


            4054 entry point (00404054)


            1000 base of code


            5000 base of data


          400000 image base (00400000 to 00453FFF)


            1000 section alignment


            1000 file alignment


            4.00 operating system version


            0.00 image version


            4.00 subsystem version


               0 Win32 version


           54000 size of image


            1000 size of headers


           56920 checksum


               2 subsystem (Windows GUI)


             140 DLL characteristics


                   Dynamic base // ASLR! W00T!!!


                   NX compatible // DEP (Permanent) W00T!!!


          100000 size of stack reserve


            1000 size of stack commit


          100000 size of heap reserve


            1000 size of heap commit


               0 loader flags


              10 number of directories


               0 [       0] RVA [size] of Export Directory


            795C [      8C] RVA [size] of Import Directory


            A000 [   48F54] RVA [size] of Resource Directory


               0 [       0] RVA [size] of Exception Directory


           54000 [    1568] RVA [size] of Certificates Directory


           53000 [     69C] RVA [size] of Base Relocation Directory


            5270 [      1C] RVA [size] of Debug Directory


               0 [       0] RVA [size] of Architecture Directory


               0 [       0] RVA [size] of Global Pointer Directory


               0 [       0] RVA [size] of Thread Storage Directory


            71E0 [      40] RVA [size] of Load Configuration Directory


               0 [       0] RVA [size] of Bound Import Directory


            5000 [     234] RVA [size] of Import Address Table Directory


               0 [       0] RVA [size] of Delay Import Directory


               0 [       0] RVA [size] of COM Descriptor Directory


               0 [       0] RVA [size] of Reserved Directory


 


 


Comments (4)

  1. Anonymous says:

    On a good note, Adobe Acrobat 9 seems to run faster and has a few compiler/at-link-time security features enabled (ASLR and DEP). On a bad note, they have opened up new vectors that can be exploited due to the new playback of Flash content. You ca

  2. Anonymous says:

    … lascio a voi dare una risposta, dopo aver letto i due post che vi propongo di seguito. Il primo è

  3. Anonymous says:

    Oui, vous avez bien lu le titre. Pourquoi Adobe Reader 9.0 ? Jetez un œil sur l’article de Robert

  4. Anonymous says:

    Despite Adobe opening up a hole in the product by supporting playback of FLV and SWF files , Robert does