Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: EMET - which process/thread is it killing?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
libove EMET - which process/thread is it killing?
Member 28th Oct, 2010 10:15
Ranking: 31
Posts: 71
User Since: 12th Feb, 2008
System Score: N/A
Location: N/A
I use the obsolete ACDSee Photo Editor v3.1. Unfortunately, EMET doesn't like it. Even more unfortunately, it's not as simple as just adding the ACDSeePhotoEditor3.exe to EMET's list of configured applications and opting that .exe out of all EMET protections.

Environment: Windows 7 Pro & Ultimate, 64-bit.
I first noticed the problem on my Ultimate 64-bit desktop system, then reproduced it in a clean Pro 64-bit VMware guest.

The specific symptom with ACDSee Photo Editor 3.1 when DEP is enabled is that, though ACDSee Photo Editor 3.1 will open (with a blank image), any attempt at all to open any .JPG image causes ACDSee Photo Editor 3.1 to incorrectly report "The file filename.jpg is corrupt and causing plug-in errors."

The only way I got ACDSee Photo Editor v3.1 to run on a system with EMET enabled at all, was to *globally* set DEP in EMET to either disabled or application opt-in.

A blank image can be created in ACDSee Photo Editor 3.1 (blank images have no file type by default in this program).
An image which started out as a .JPG in another program can be pasted in to ACDSee Photo Editor 3.1.

Any attempt to save any image (no matter its origin) as a .JPG triggers "An error occurred while saving the image. The Image was not saved."

The same image can be saved as .GIF and .BMP.

Trying to save as .JP2 causes-
"Unrecoverable Plug-in Error" "C:\Program Files (x86)\Common Files\ACD Systems\PlugIns2\IDE_JP2.apl" "ACD Photo Editor has detected that this plug-in has committed an unrecoverable error. Execution of the plug-in code has been terminated." (followed by the same "An error occurred while saving the image. The Image was not saved." from above)

n.b. that these failures only result in the report of the plugin or save error, but do not crash ACDSee Photo Editor 3.1 itself.


All of this suggests to me that it is not specifically the ACDSeePhotoEditor3.exe itself which is tripping on DEP, but rather something else that it is calling - the various image type plugins.
And on that point, I am lost as to how to find the specific piece of code that I can identify to EMET for which to disable DEP.

Could someone here give me a hint please on how to figure out what, associated with ACDSeePhotoEditor3.exe, is tripping over DEP, so that I can selectively opt-out just that component from DEP, instead of having to leave most applications un-protected by DEP just in order to get this one app to work?

Thanks!
Jay

M.Hansen RE: EMET - which process/thread is it killing?
Secunia Official 28th Oct, 2010 10:47
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi

I'm not familiar with the use of the ACDSEE programs, so I won't be able to help you technically.

However, in case you haven't, you could try to seek help at the ACDSEE community forum:
http://community.acdsee.com/

Good Luck!

/M.Hansen
ddmarshall RE: EMET - which process/thread is it killing?
Dedicated Contributor 28th Oct, 2010 12:46
Score: 1212
Posts: 965
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 28th Oct, 2010 12:56
You can make a system trace using Sysinternals Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb...

There is a video tutorial on using this available from
http://www.msteched.com/2010/NorthAmerica/WCL314

I'm not sure that opting out at the application level will work if you have system wide DEP set. You can email the authors at switech@microsoft.com for advice.

Some more information which might help you understand what's happenning (pre WIndows 7 but Vista part should be relevent)
http://blogs.technet.com/b/srd/archive/2009/06/12/...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer