The hand-wringing over enterprises no longer being able to rely on Microsoft's Enhanced Mitigation Experience Toolkit (EMET) to block software exploits appears to have been premature: A new cyberespionage outfit is targeting a critical vulnerability in Adobe's Flash Player, and EMET is effectively mitigating the attacks.
Adobe has warned that a critical vulnerability in Flash Player (CVE-2016-4171) is currently being exploited in limited targeted attacks. The flaw exists in the latest Flash version 184.108.40.206 and earlier for Windows, MacOS, Linux, and Chrome OS. A patch is expected later this week as part of the monthly security bulletin.
"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its brief security advisory.
New advanced persistent threat (APT) group ScarCruft has been using the Flash zero-day against high-profile victims in Russia, Nepal, South Korea, China, India, Kuwait, and Romania since March, said Kaspersky Lab, who discovered the exploit and reported the vulnerability to Adobe. The APT group has been targeting companies and organizations for high-value information and data as part of Operation Daybreak. Kaspersky Lab held back details of ScarCruft's ongoing campaign targeting the vulnerability, but recommended enterprises use EMET.
"We confirm that Microsoft EMET is effective at mitigating the attacks," said Costin Raiu, director of global research and analysis team at Kaspersky Lab.
Microsoft released EMET in 2009 to enforce modern exploit mitigation mechanisms such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF), and Export Address Table Access Filtering Plus (EAF+) in legacy applications that don't have them. By deploying EMET on the endpoint, enterprises make it harder for attackers to exploit flaws in certain programs on those systems. Enterprises have benefited from deploying EMET as a line-of-defense for attacks targeting zero-day vulnerabilities in Flash, Silverlight, and a handful of other technologies. With EMET, enterprises were able to protect the endpoints while waiting for the vendor-supplied patch.
Earlier this week, FireEye researchers observed that Silverlight and Flash Player exploits capable of evading EMET have been added to the Angler exploit kit. This isn't the first time exploit kits and malware have successfully bypassed EMET, but the alarm was related to the fact that Angler is widely popular in the criminal underground. Angler has been seen in various web-based attacks such as malvertising, ransomware, and other drive-by downloads.
However, simply because Angler and other exploits are adding EMET bypasses doesn't mean enterprises should abandon EMET. Exploit kits are increasingly becoming more sophisticated, but EMET is still effective against zero-day vulnerabilities. Enterprises should not rely on EMET exclusively to protect applications, but should continue to use EMET as part of a robust vulnerability management program.
As always, if the system doesn't need Flash, remove it. Many browsers are set up to disable Flash Player or make it click-to-play. There's no need to have a potentially vulnerable application on a system that doesn't use it, so close off that avenue of attack, if possible.