Drive-By Exploits Pushing Ransomware Now Able To Bypass Microsoft EMET

An anonymous reader writes: Ars Technica reports that drive-by attacks that install the TeslaCrypt crypto ransomware are now able to bypass Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which is designed to block entire classes of Windows-based exploits. The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Researchers from FireEye published a blog post Monday that says the new Angler attacks are significant because they're the first exploits found in the wild that effectively pierce the mitigations. The exploits' code is based on the Adobe Flash and Microsoft Silverlight browser plugins that bypass data execution prevention, a protection that prevents computers from running data loaded into memory. The new Angler exploits rely on techniques other than Data Execution Prevention (DEP) that's harder to detect and contains fewer limitations. FireEye researchers have observed the exploits working only on Windows 7 and not on Windows 10, which is more resistant to exploits. They also only work when targeted computers have either Flash or Silverlight installed. Microsoft created EMET to largely block entire classes of memory-based software exploits that had existed for decades. Now, Angler developers have struck back with techniques that can undo some of those protections.