Hackers develop drive-by exploit kit to bypass Microsoft’s EMET protection and infect Silverlight and Flash Apps
Hackers have finally managed to break through the defences of Microsoft EMET protection tools. They have bypassed Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) exploit blocker to infect Silverlight and Flash apps, according to a new report out by ComputerWorld.
According to an observation made by the FireEye security researchers, Silverlight and Flash Player exploits designed to evade EMET mitigations such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus (EAF+). The exploits have been recently added to the Angler exploit kit (considered the most sophisticated and most successful exploit kit to launch Web-based “drive-by” download attacks by cybercriminals).
The Flash Player and Microsoft Silverlight exploits currently leveraged by Angler to deliver malware do not depend on typical return-oriented programming (ROP) exploit techniques to avoid the DEP mitigation.
In a blog post about the issue, the security Firm FireEye also notes that this is the first time that this Angler EK exploit has appeared in the wild, and that this issue only affected systems running Windows 7. FireEye also notes that the hack uses difficult multi-layered code obfuscation and leverages multiple exploits, making it, “one of the more sophisticated exploit kits in use at this time.”
Released in 2009, the EMET was designed to apply modern exploit mitigation mechanisms for third-party applications that were built without them. Eventually, this makes it much difficult for the attackers to exploit vulnerabilities in those programs in order to compromise computers.
“Although there are no quick solutions for the DEP, EAF, and EAF+ evasion techniques, organizations can mitigate this threat through a robust vulnerability management program for end user systems, which includes the installation of security updates for third party software,” researchers said. FireEye also suggests that disabling browser plugins for Flash or Silverlight to lessen the risk of attack.
Ironically, in order to maintain compatibility with custom-made internal Web applications that have not been rewritten in years, organizations are sometimes compelled to keep old versions of browser plug-ins and other applications installed on endpoint computers.
“Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible,” the FireEye researchers said. “Because the Web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface.”