EMET 5.2 / Adobe Flash

Need expertise on configuring EMET 5.2 to protect against zero-day vulnerabilities with Adobe Flash.  WIndows 7, 64 bit, ...Can someone provide guidance?
TetraTechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Specific to Flash CVE (I believe you are referring to recent HT leaks' 3 main Adobe CVE), most immediate is to patch it with Adobe advisory and otherwise remove flash is the better choice

For EMET 5.2 , there is a useful guide (same link as you downloaded). Load the protection profile that is included in the EMET such as "Recommended Software.xml". This will enable mitigations for Microsoft Internet Explorer, WordPad, applications that are part of the Microsoft Office suite, Adobe Acrobat, Adobe Reader, and Oracle Java.

Specifically, see the recommendations to apply the Recommended Settings. In Wizard options, use Recommended Settings that this option deletes existing settings and apply the recommended settings.
Configures EAF+ with Internet Explorer with the Microsoft Trident engine, the Adobe Flash plugin, the Microsoft VML plugin, the Microsoft VBScript engine, and the Microsoft JavaScript engine. Configures Adobe Acrobat and Adobe Reader with the Lotus Notes Field Exchange Module for Adobe Acrobat, the Adobe Reader engine, and the Adobe Acrobat Forms.

Blocks the Adobe Flash plugin from running in Microsoft Excel, PowerPoint, and Word, and blocks the Oracle Java, Microsoft VML, Microsoft MSXML 4.0, Windows Script Host Runtime, and Microsoft Scripting Runtime plugins from running in Internet Explorer in websites not belonging to the Trusted Sites or Intranet zones.
There are further setting for System wide setting such as “Maximum Security Settings” and “Recommended Security Settings” from the “System Settings” for various OS and we can stick with the recommended setting for start.

For Application specific additional mitigation, also note the action to be taken under “Application Configuration”. The “Default Action” ribbon defines what action EMET will take when an exploit has been detected: Stop on exploit OR Audit only. Good to go for audit as start before going into stop just to make sure the appl is alright unless you alright to be security first then activate the Stop on exploit.

In addition, go for the Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. This is under “Show All Settings” button in the “Options” ribbon allows to fine-tuning or to configure additional mandatory aspects of mitigation too. For info ASR defines the list of modules/plugins that are blocked from being loaded in the protected application. This setting has no default values and is mandatory to enable the mitigation. Also stated in advisory https://www.us-cert.gov/ncas/alerts/TA15-195A

Also can consider
- Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content
- Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box.
http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
If we read more on HT disclosures we see that they were quite successful defeating most of EMET protections. With all emet shields up IE will crash often with any plugins loaded. While patching is fine for known issues, best way to reduce exposure to next disclosures is to run with as little plugins as possible (i.e. no plugins at all for 90% of users) You may choose to use firefox instead which made flash plugin "click to activate" by default now.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Adobe Flash

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.