Widespread exploits evade protections enforced by Microsoft EMET

06.06.2016
It's bad news for businesses. Hackers have launched large-scale attacks that are capable of bypassing the security protections added by Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a tool whose goal is to stop software exploits.

Security researchers from FireEye have observed Silverlight and Flash Player exploits designed to evade EMET mitigations such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus (EAF+). The exploits have been recently added to the Angler exploit kit.

Angler is one of the most widely used attack tools used by cybercriminals to launch Web-based, "drive-by" download attacks. It is capable of installing malware by exploiting vulnerabilities in users' browsers or browser plug-ins when they visit compromised websites or view maliciously crafted ads.

"The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion," the FireEye researchers said Monday in a blog post.

First released in 2009, EMET can enforce modern exploit mitigation mechanisms for third-party applications -- especially legacy ones -- that were built without them. This makes it much harder for attackers to exploit vulnerabilities in those programs in order to compromise computers.

While EMET is often recommended as a defense layer for zero-day exploits -- exploits for previously unknown vulnerabilities -- it also gives companies some leeway when it comes to how fast they patch known flaws.

In corporate environments, the deployment of patching does not happen automatically. Patches for the OS or stand-alone programs need to be prioritized, tested and only then pushed to computers, a process that can substantially delay their installation.

With widespread exploits now able to evade EMET mitigations, the tool should no longer be relied on to protect old versions of applications like Flash Player, Adobe Reader, Silverlight or Java until a company can update them.

Unfortunately, organizations are sometimes forced to keep old versions of browser plug-ins and other applications installed on endpoint computers in order to maintain compatibility with custom-made internal Web applications that haven't been rewritten in years.

"Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible," the FireEye researchers said. "Because the Web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface."

Lucian Constantin

Zur Startseite