Drive-By Exploits Pushing Ransomware Now Able To Bypass Microsoft EMET

An anonymous reader writes from a report via Ars Technica: Ars Technica reports that drive-by attacks that install the TeslaCrypt crypto ransomware are now able to bypass Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which is designed to block entire classes of Windows-based exploits. The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Researchers from FireEye published a blog post Monday that says the new Angler attacks are significant because they're the first exploits found in the wild that effectively pierce the mitigations. The exploits' code is based on the Adobe Flash and Microsoft Silverlight browser plugins that bypass data execution prevention, a protection that prevents computers from running data loaded into memory. The new Angler exploits rely on techniques other than Data Execution Prevention (DEP) that are harder to detect and contain fewer limitations. FireEye researchers have observed the exploits working only on Windows 7 and not on Windows 10, which is more resistant to exploits. They also only work when targeted computers have either Flash or Silverlight installed. Microsoft created EMET to largely block entire classes of memory-based software exploits that had existed for decades. Now, Angler developers have struck back with techniques that can undo some of those protections. Recently, the TeslaCrypt ransomware makers closed down shop and released a master key and an apology.

My question

[TheDarkener]

Why does Adobe Flash and Microsoft Silverlight browser plugins bypass data execution prevention?

Re:

[Anonymous Coward]

Get back to TempleOS,Terry.

Re:My question

[Dog-Cow]

Anything with a JIT needs to bypass DEP.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Good job. You have now described the problem. And just like many others, you have done only that. As your next step, please devise and describe a feasible solution. That would actually be helpful.

I do not know what a feasible solution looks like. Then again, I do not run around pointing out a well known problem to everyone all the time, either.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

You can do it at link time with this: https://msdn.microsoft.com/en-... [microsoft.com] Or by setting the proper AppCompatFlags. Or by calling SetProcessDEPPolicy. Or half a dozen other ways documented on MSDN and technet.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Well cancelled the netflix awhile back

[Crashmarik]

That was my one reason for Silverlight.
Flash disabled for awhile now just too damn dangerous.

Re:

[Opportunist]

Hey, don't worry, Windows is as secure as ever!

Re:

[Opportunist]

At this point I'm honestly waiting for MS to push the Win10 update by means of a drive-by infecting trojan.

Re:

[Anonymous Coward]

These exploits work on some unpatched Windows 7 which was released in 2009. Windows 10 is not vulnerable to them at all. At least RTFM and get a clue before making blanket statements that make you sound like you don't know what you're talking about.

MS can fix this easily

[lord merlin]

Microsoft has lots of money. Why don't they just actively buy these exploits as they hit the market (through an 'agent' if they must), reverse engineer them, update EMET & issue a patch that closes the flaw, and move on, long before anyone is hacked ???

Re:

[Opportunist]

False analogy. You cannot simply up the production of 0day exploits when you see an increase in demand, unlike drugs.

Re:

[swb]

On a par with a drugs policy that says "the goverment should just buy all the drugs at street prices" Pathetic.

I've read more than once that in the mid 1970s several warlords in the Golden Triangle offered to sell the US government their entire opium production.

And I think it's been suggested as a counter-insurgency tactic in Afghanistan. Rather than spending even more to convince local farmers to grow lower-value cash crops and an eradication by force campaign, simply corner the market and buy up the supply.

I'm sure there are problems, both in terms of academic economics and unintended consequences, but it's an in

Re:

[gtall]

And create a growth market for the supply of opium. If you are guaranteed a price which makes it worth your while to grow opium, then you have every incentive to maximize your acreage. And there's nothing stopping you from siphoning some off for the local warlords you need to keep happy for the privilege of growing opium. To stop the siphoning means ramping up enforcement. If you, as an opium grower, is faced with enforcement from the U.S. or local governments, that still will fail to compete against death

Re:

[Opportunist]

Hey, WE have been telling people for at least 10 years now that DEP is a problem. It just takes the idiots in management roughly a decade to get their head out of their ass (or off the coke table) and realize there is a problem. Currently we're waiting for them to notice that social engineering could be a problem and that we should implement steps to ensure that mails that allegedly come from management really do, but I don't hold my breath for this to arrive with them.

Like every other problem on this plane