-2

If I were to not update Adobe Flash and instead used the old version (from before the Hacking Team 0-day exploit was published in the internet), in that case, would Microsoft EMET protect me from the latest Hacking Team Adobe Flash 0-day exploit?

  • I mean, was the Microsoft EMET effective in protecting user from Hacking Team Adobe Flash 0-day exploit before Adobe patched that vulnerability?
  • How effective was Microsoft EMET in prevention of attack with Hacking team Adobe Flash 0-day exploit before Adobe patched that vulnerability?

Malwarebytes' Anti-Exploit was able to prevent that kind of attack. And the big part of Malwarebytes Anti-Exploit is based on Microsoft EMET technology. So it is interesting if Microsoft EMET is able too to prevent that kind of attack as Malwarebytes Anti-Exploit can.

I am NOT asking this question because of some interest in using old version of Adobe Flash. Instead I am asking this questions to get an idea about the effectiveness of Microsoft EMET against 0-day exploits on this particular example of the Hacking Team Adobe Flash 0-day exploit.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
vasili111
  • 207
  • 1
  • 7

2 Answers2

5

EMET software participates in a defence-in-depth approach of security. It adds an effective supplementary security layer when an attacker manages to successfully exploit a vulnerable software without being blocked by the anti-virus.

However, in such domain is an endless race, since while EMET is getting more popular, attackers will try to craft their exploit attempting to bypass it.

As per Hacking Team, they seemed to have very regular tests against anti-virus detection, but EMET was apparently not part of it. The only Microsoft's security products targeted in these tests were Microsoft Security Essentials and Microsoft Defender.

Their exploit acquisition form however does contain a question regarding EMET avoidance capabilities of submitted exploits.

Hacking Team remains after all just a commercial software development company. So their new features development (EMET avoidance is just one feature among others) are mostly driven by customer requests. So it is sufficient for a customer to request it (and of course pay for it) for EMET avoidance to become part of Hacking Team portfolio.

I think it is in prevision of such a move that HT was already recording in their database EMET avoidance capabilities of their exploits, however EMET being not installed by default in Windows and no red flags inciting the end-user to install it (as opposed to firewall and anti-virus software, side-effects being better handled in these case) it remains for now too much a niche domain to invest significant amount of money into development and maintenance of such functionality.

With such an analysis, as far as we are talking about plain unmodified Hacking Team exploits, EMET should bring an effective security layer (I firmly highlight the should since only thorough tests against each and every exploit as presented in the first link would prove anything in that regard). However since these exploits are now published, nothing prevents another hackers teams to modify them to include anti-EMET features. In such case you will be screwed...

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
0

EDIT:

The OP has TOTALLY modified his question by reediting it AFTER I answered him, so my actual answer seems to be an answer to an other question. So please stop being chatty and take time to read the comments above before you add yours and restart the same conversation with me.

was the Microsoft EMET effective in protecting user from Hacking team Adobe Flash 0-day exploit before Adobe patched that vulnerability?

Before saying yes or not, you have to know that using an old version of Adobe Flash is really, really a bad idea.

  1. First of all, you are trying to avoid the July 2015 vulnerability (published under CVE-2015-5119 CVE-ID) whereas all previous Adobe Flash versions suffer from it as you can see here:

enter image description here

  1. The second reason for which I say it is a bad option to use an earlier version is that it exposes you to all former severe vulnerabilities and risks of which Microsoft EMET can not surely protect you necessarily.

  2. The third reason why this is a bad option is that CVE-2015-5119 vulnerability appeared on July 2015 whereas the latest version of Microsoft EMET was released on July 31, 2014 and worse, its support is supposed to end 12 months later, so a month before this vulnerability was published:

enter image description here

  1. The fourth reason I say this is a bad idea is because you can not rely that much on Mircrosoft EMET as Microsoft confesses this by itself:

The security mitigation technologies that EMET uses have an application-compatibility risk. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, you can individually enable and disable that specific mitigation. For more information, refer to the EMET user's guide.

The solution is to follow the steps required to patch your current version as explained on Adobe Flash official website. But this is only if you are forced to use Adobe Flash for some very specific reason, otherwise the best thing you can do is to use HTML5 instead and forget totally about Adobe Flash.

  • Thanks for your answer. But it does not answers the main question which is about effectiveness of Microsoft EMET in preventing threat from particular 0-day exploit. Maybe my question was not clear as it should be so, I have edited the last part of my question to make it more clear. "I am NOT asking this question because of some interest in using old version of Adobe Flash. I am asking this questions to get an idea about effectiveness of the Microsoft EMET against 0-day exploits on the particular example of the Hacking team Adobe Flash 0-day exploit. " – vasili111 Aug 08 '15 at 06:56
  • @vasili111 Sorry, you mentioned Adobe Flash vulnerability even in the title so I thought that was your main interest. However, what you underlined through this comment is covered by the last point I mentioned (**4**). –  Aug 08 '15 at 06:59
  • @vasili111 Also, it was good you mentioned Flash for your actual question because it is a good example that answers your main question: it is not effective as this vulnerability (which always existed but not detected by EMET) shows. And no software could pretend to protect you from 0-day vulnerabilities. –  Aug 08 '15 at 07:07
  • For example Malwarebytes Anti-Exploit was able to prevent that kind of attack (https://blog.malwarebytes.org/zero-days/2015/07/hacking-team-leak-exposes-new-flash-zero-day/). The big part of Malwarebytes Anti-Exploit is based on Microsoft EMET technology. So it is interesting if Microsoft EMET is able too to prevent that kind of attacks as Malwarebytes Anti-Exploit can. – vasili111 Aug 08 '15 at 07:13
  • I also understand that no software can guarantee full protection for 0-day attacks. But some can make you more secure and I am trying to understand which ones and in which cases. – vasili111 Aug 08 '15 at 07:22
  • @vasili111 Just a simple question if I may: we have seen that July 2015 Adobe Flash vulnerability always existed in previous versions, but Microsoft EMET did not detect it. Is not this a perfect example that we can not rely that much on it ? :) –  Aug 08 '15 at 07:25
  • To detect attack with Microsoft EMET there should be direct attack. Microsoft EMET cant detect exploit by simple file scanning. And we can't say that Hacking team 0-day vulnerability was widely used before (if there is wide attack it should be detected by many security companies). So if there was no attack on PC with Microsoft EMET, it can't be detected. – vasili111 Aug 08 '15 at 07:38
  • @vasili111 Detecting an attack is too different from detecting a 0-day vulnerability. –  Aug 08 '15 at 07:40
  • If many attacks are performed on particular software on many PCs, then the attack will soon be detected by security companies. After detecting attack and finding code that is used for attack soon will be found vulnerabilities too – vasili111 Aug 08 '15 at 07:43
  • No one can hide vulnerability that is widely being exploited. – vasili111 Aug 08 '15 at 07:45
  • The answer lists CVE numbers, which describe vulnerabilites, while the question appears to be about the specific exploit HackingTeam possessed. The discussion goes on to be about detecting vulnerabilites or exploits. The goal of EMET (it's not Microsoft Security Essentials) is neither about finding vulnerable programs nor about detecting exploits, just about providing an environment in which typical exploits dont work (exploit migitation). This means neither the vulnerability nor the exploit need to be known to have EMET prevent it, just some generic properties this expoit uses. – Michael Karcher Aug 08 '15 at 09:08
  • @MichaelKarcher Yes, he had to edit the question so that I guessed he mentioned the Flash stuff just as an example (it was even in his question's title). But if you read these comments you can guess that the fourth point I mentioned covers his question as well as the details of the Flash bug –  Aug 08 '15 at 09:11
  • Number 4 in your answer does not apply to the question at all. The fourth point discusses problems to legitimate applications that might be caused by the hardened environment EMET provides. It does not tell *anything* about how the flash bug was exploited nor whether the kind of exploit HackingTeam possessed is incompatible with environment EMET provides (which would be the point of EMET) – Michael Karcher Aug 08 '15 at 09:16
  • @MichaelKarcher I am back, sorry. I do not want to reproduce the discussion I had with the OP. The first the current versions of the question are different. I answered before he modified it. Actually the Flash bug he mentioned is, as I said, a perfect example that shows that Microsoft EMET is not that strong since it did not succeed to detect that vulnerability that always existed in previous Flash versions and ... sorry, this is too chatty, it is not allowed according to the rules –  Aug 08 '15 at 09:37
  • "using an old version of Adobe Flash is really, really a bad idea." But... the last updates have stowaway McAfee installer without the checkbox to decline, so I'm averse to running any more updates from them. – JDługosz Aug 08 '15 at 11:15
  • @begueradj It seems like you didn't study the working of EMET thoroughly. You think the failure to detect the flash exploit through EMET is a perfect example of EMET failure. That is not the purpose of EMET at all. It detect generic exploit techniques such as stack pivots, ROP chains, exception handling overwrites etc. The reason I am mentioning these is because OP asked whether EMET will be able to provide protection in this case? And my answer is unless the exploit is specifically crafted to bypass EMET, it should be blocked by EMET. – void_in Aug 08 '15 at 14:56
  • @void_in He asking assuming it EMET is used for that (to prevent 0 day vulns). I said if it is so then the flash example he gaves contradicts that in a perfect way. But this is too chatty, feel free to downvote or report, because you did not see the original question he asked, he modified it after my answer. **Sorry people, this is too chatty, read the comments before you comment me and I won't answer any more** –  Aug 08 '15 at 15:26