EMET and Abobe Flash Player Issue

Discussion in 'other anti-malware software' started by itman, Jun 13, 2014.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    WIN 7 x64 SP1, IE10, Adobe Flash Player ver. 14 - stand alone version, EMET 4.1 Update 1.

    This incident happened to me when I installed the stand-alone update for version 13 and again for version 14. What I have observed is that after installing these latest releases of Flash Player and adding the respective 32 and 64 bit .exes to EMET, they are not running under EMET when the .exe's load into memory. I have to go though this gyration where I have to remove all Flash references from EMET; uninstall Flash Player and then reinstall it; and finally again add the respective Flash Player .exe's to EMET. Then both Flash .exe's are protected under EMET.

    Wonder if anyone else has run into this? Appears to have started with release 13 of Adobe Flash.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I'm in the habit of unintalling the old version of Flash Player before installing the new version. Before I install the new version I open EMET and go to APPs and remove Flash Player. Keeping EMET open I install the new ActiveX and Plugin versions then re-add them to EMET's protection.

    It is a bit of a PITA but doesn't take long.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This is not a bug. I do similar to what Krusty13 does every time I manually install Flash.
     
  4. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    I'm wondering which .exe files for Flash you're referring to:

    FlashUtil(version#)_Plugin.exe and FlashUtil(version#)_ActiveX.exe are the UNinstallers for the plugin/ActiveX versions respectively. And FlashPlayerUpdateService.exe is obvious. If these are what you're including in EMET, it's NOT Flash itself.

    The actual Flash modules are Flash(version#).ocx [ActiveX] and NPSWF(version#).dll [Plugin]... and I don't believe that EMET can protect either of these.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For current Flash: FlashPlayerPlugin_14_0_0_125.exe
     
  6. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Interesting... I don't have that file on my XP (Pro SP3) System...
    I think I might have it on my Win7... will have to check there later.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From How to disable FlashPlayerPlugin process:
     
  8. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Not here either on XP-pro-SP3. Still 13.0.0.214.
    I enabled their scheduled updater two days ago. Every hour they go out to akamai and come back empty handed.
    Normally after 2-3 days I give up and just download those 2:
    ** Flash Player direct download links removed**
    These are clean installers, no chrome, McAfee, nothing.
    I just got them, scanned at virustotal and will install tomorrow if their, usually flawed, update service doesn't.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Inside Flash Player Protected Mode for Firefox:
     
  10. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Thanks, McBrian. I *DO* have that file on my Win7 (Pro SP1) system. So can you clarify: does that process work together with, or independent of, NPSWF(version#).dll , which used to be the sole/standard mechanism for Flash in plugin-based browsers (FF, PaleMoon, Opera, &etc.) I see is still have the .dll file as well.
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    They work together (tested with Process Explorer).
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Just so folks understand... The links in the thread act8192 referenced above, just like the one MrBrian posted in this thread, are fine. They are to HTML pages at the Adobe site. The links that we must remove, (per Adobe Legal Dept complaint), are any direct download links to their EXE installer/uninstaller files. It's just the way it is, I'm afraid.
     
  14. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Last edited: Jun 15, 2014
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The files IE10 uses in the stand-alone version of Flash Player are:

    64bit - located in System32/Macromed/Flash directory - FlashUtil64_14_0_125_ActiveX.exe
    32bit - located in SysWow64/Macromed/Flash directory - FlashUtil32_14_0_125_ActiveX.exe

    I have defined both of these files in EMET with all mitigations enabled without issue.
     
  16. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    itman,

    As I mentioned in post #4 above, the FlashUTIL*.exe files you've cited are (to my understanding) the UNinstallers, and NOT the actual Flash runtime module. If I am correct, you would simply be using EMET to protect the process of uninstalling Flash... but not protecting the actual running of Flash within IE.
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    It's logical that you have to add the new files to EMET everytime, because the filenames are always different.

    Those processes always run when IE is using Flash, so it looks like they're more than just uninstallers.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes, it is a given the files have to be added to EMET with the new file names for the reason you stated. I also remove the old names from EMET.

    However, my original posting was that this alone is not enough to have EMET recognize the files upon execution after a Flash Player update. As I found out and others have confirmed in this posting, it appears all traces of the old version of Flash Player have to removed/ uninstalled, the new version of Flash Player installed, and the new versions of the .exe files added to EMET preferably with a reboot after each of the previous steps.
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Strange, I installed the latest Flash Player without uninstalling/removing the old version at all. EMET reports the Flash processes are running under EMET protection, and I see that the processes are using EMET.ddl.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There also is another quirk with EMET I have observed in regards to the stand alone version of Flash Player and IE10. If you have ActiveX filtering enabled in IE, the stand alone .exe Flash Player file does not load into memory at the same time that IE does. If you want to view video content and then decide to turn off ActiveX filtering, the Flash Player .exe is not protected by EMET when it loads into memory.

    It is possible that in the above scenario when Flash Player starts execution after IE is started, IE is actually using the Flash Player add-on alone and controlling the execution of the respective .dll, .ocx, etc. Flash Player files. When Flash Player starts when IE starts, the stand alone Flash Player .exe actually controls the respective .dll, .ocx, etc. Flash Player files. It also appears to me, that EMET might have an issue with spawned processes which is what the stand alone .exe of Flash Player is in this instance?
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    And you are running EMET 4.1 Update 1? I know I did not have this issue when running EMET 4.0.
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    EMET 5.0 TP.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.