Flash and Silverlight exploits bypass EMET on Windows 7

EMET – Enhanced Mitigation Experience Toolkit – is a security tool offered free of charge by Microsoft. Mainly intended for businesses (individuals can also use it), it helps reduce the risk of exploiting 0-day vulnerabilities in Windows or for known vulnerabilities for which the available fixes have not yet been applied.

HackerTo this end, several technologies are to be managed and added from an interface. They complicate operations. This protective shield has just taken a blow. The security company FireEye details new exploits which make it possible to circumvent additional protections brought by EMET on Windows 7. An operating system still widely used.

The big downside is that even if these exploits are quite sophisticated, they are in the arsenal of the Angler exploit kit which is one of the favorite tools of cybercriminals for drive-by attacks (web attacks leading to downloading). malware). In this case, they rely on Flash Player and Silverlight to inject the TeslaCrypt ransomware.

Certainly, for this particular ransomware, the threat is no longer as high since its authors released the master key to decrypt the files taken hostage. However, it is still used in attacks and TeslaCrypt may be just the first example of a payload.

The FireEye researchers explain that the Flash and Silverlight exploits respectively use routines of Flash.ocx and Coreclr.dll to call functions and play a protection like DEP (Data Execution Prevention) before the execution of the shellcode. Exploits can also bypass protections called EAF (Export Address Table Access Filtering) and EAF + (Export Address Table Access Filtering Plus).

FireEye's advice doesn't revolutionize the genre, however. " Applications like Adobe Flash, web browsers and Oracle Java should be updated regularly, critical patches prioritized, or removed if possible. (…) Disabling plugins for Flash or Silverlight for browsers can also decrease the attack surface. "

The fact is that companies can no longer rely on EMET while waiting to deploy available updates.