EMET (Enhanced Mitigation Experience Toolkit)

Flash Player needs to be added manually since EMET doesn't allow wildcards in file name yet. You don't need to disable EMET protection when updating any of the programs that are protected by EMET.

There is a great script and program within this thread for adding EMET protection to updated versions of Flash.
See here: https://www.wilderssecurity.com/thre...xperience-toolkit.344631/page-40#post-2456225

 

I've had to disable so many different mitigations from EMET in the past that I don't trust it when updating applications under EMET's protection. It could cause some serious headaches if it blocked an application in the middle of updating like java. I will take your word for it though. If I encounter any problems when updating an application I will report back. I'm not sure how long I will be running EMET 5.2. I'm just testing it for now.

 

I have these executable for flash player in the System32, and SysWOW64 folders. Which ones need to be added to add protection to flash player for Firefox?

 

I only worry about FlashPlayerPlugin_17_0_0_134.exe, however some users add the rest of those executables there as well. Also, ensure that plugin-container.exe is protected as well, which will already be done if you've imported Popular Software profile.

 

I didn't import popular software profile. I'm not sure if I would want to. Is there a lot of software on it that is not on the default list?

 

I just added flash player plugin from System32, and SysWOW64. I also added Firefox plugin-container. Thank you for your help!

 

Yes.
You can have a look at the profile's contents by opening it in Notepad.
In Windows Explorer, navigate to the EMET Protection Profiles folder in Program Files,
C:\Program Files (x86)\EMET 5.2\Deployment\Protection Profiles\
and open both Recommended Software.xml and Popular Software.xml in Notepad.
Now you can have a look at its contents and compare.

 

Thank you! I will do that.

 

I run the stand alone version of FlashPlayer. Just did a test in 5.2 to see if Flash's ActiveX.dll is ASR compatible. It is not; totally locked up IE10.

 

Do you mean you added FlashUtil32*ActiveX.dll to ASR modules?
By default it is not in ASR modules. Looks like that's for a reason.

 

afaik flash*.ocx was part of the ASR ruleset in EMET 5tp1, but last time I checked 5.1 it was not present in the default ruleset.

 

Ah, you suppose itman meant flash*.ocx.
Yes, flash*.ocx is the Flash ActiveX Control, but that is not the same as the Flash ActiveX.dll, as itman mentioned.

And yes, flash*.ocx was in EMET 5.0 TP ASR modules, but not in EMET 5.0 final, nor in 5.1 and 5.2.
If I am not mistaken, flash*.ocx was only in EMET 5.0 TP ASR for testing purposes, for blocking Flash.
If anyone wants to be able to use Flash Player in IE, flash*.ocx should not be in ASR modules.

 

First, flash*.ocx is protected under EAF+ rules for IE. It runs under IE.

Again, the stand alone ver. of Flashplayer uses FlashUtil32_xx_x_x_xxx_ActiveX.dll or FlashUtil64_xx_x_x_xxx_ActiveX.dll. I tried to add those as an ASR module for either FlashUtil32_xx_x_x_xxx_ActiveX.exe or FlashUtil64_xx_x_x_xxx_ActiveX.exe which are the stand alone ver. executables I added to EMET.

 

You can also just remove Flash Player or disable it permanently in your browser.

 

Could anyone with 5.2 and Firefox check if xul.dll in EAF+ modules still causes a very slow Firefox startup? I see this is still enabled by default in the Popular Software Profile.

 

FlashPlayer runs great under EMET 5.2. As I said originally, I was running a test to see if the stand alone ver. of Flash .dlls were compatible with ASR. They are not.

 

Thanks, itman,
Yes, those FlashUtil**ActiveX.dll were what I meant.
Although I should have mentioned both FlashUtil32*ActiveX.dll and FlashUtil64*ActiveX.dll.
And from your post I didn't understand you added those to FlashUtil**ActiveX.exe that you added to EMET. I thought you were talking about adding FlashUtil**ActiveX.dll to the iexplore ASR module.

I don't know if IE10 locking up is expected behavior of adding FlashUtil32*ActiveX.dll and FlashUtil64*ActiveX.dll to FlashUtil**ActiveX.exe ASR modules, or if this is a bug.

 

Forgive me, folks! Doing to many computer things today and didn't have my head screwed on straight on this one.

Here is what I finally did. Added FlashUtli32*.dll for EAF+ for the FlashUtil32_17_0_0_134_ActiveX.exe EMET rule. Added FlashUtli64*.dll for EAF+ for the FlashUtil64_17_0_0_134_ActiveX.exe EMET rule. This is similar to EMET protection for Abobe Reader for example.

FlashPlayer now running fine with those settings.

 

No Firefox startup slowdowns anymore here with xul.dll in EAF+. I remember having to disable that previously or remove xul.dll from it. But it's all good now. Chrome is behaving better in that regard as well.

 

Relating to adding the Firefox plug-in .exe's, not so sure about that one. "Paranoid" wrote about way back in his EMET 2.0 article here: http://www.rationallyparanoid.com/articles/microsoft-emet-2.html . Below is a relevant excerpt from the article. Now the plug-in container might be exploitable but that is already included in the EMET popular software rules.

When Flash is installed within Firefox versions 3.6.4 and above, Flash will be offloaded to plugin-container.

This can be seen below. In this example both Internet Explorer and Firefox have Adobe Flash installed and are both visiting the Flash test page at http://www.adobe.com/software/flash/about. For Internet Explorer, accessing Flash content will cause Flash10k.ocx to appear within the iexplore.exe process, and for Firefox doing the same will cause plugin-container.exe to appear with Adobe Flash library NPSWF32.dll within it. No Flash*.exe processes appear anywhere.

http://www.rationallyparanoid.com/articles/images/microsoft-emet-2/07.png

-Edit-

When you run the add-on vers. of Flashplayer under IE, the respective FlashUtil*_ActiveX.exe is spawned as a DCOM process running under svchost.exe with zip Internet connectivity so again no need to include those .exe's in EMET.

 

This is how Flash Player currently runs under Firefox.



The Flash executables are running under the plugin-container.exe process, but I suppose the worry would be if plugin-container.exe process was to be vulnerable/exploitable in some way in which to access the Flash process. Although, of course, one of those Flash processes brokers the Low integrity Flash process which should in theory give it even more protection. I think the conclusion for some folks is that, since protecting those Flash executables further with EMET is not causing any adverse effects, why not. At least that is my take on it.

 

Lol, Firefox mixed content protection prevents EMET from being downloaded from Microsoft's site because the download goes over HTTP.

I installed 5.2 on top of 5.1 and told it to use previous settings. I rebooted to be sure and found that emet.dll wasn't being injected in protected processes, tried to find a conflict with other security software, but I couldn't find anything. Turns out all my application rules were deleted during the upgrade So be sure to export your current rules before upgrading.

Yes, but that was quite a few years ago. A year after this article was written, Adobe and Mozilla introduced Flash Player Protected Mode for Firefox, since then Flash content doesn't run inside plugin-container.exe anymore, but in FlashPlayerPlugin_*.exe:
https://blogs.adobe.com/security/2012/06/inside-flash-player-protected-mode-for-firefox.html

Hmm, here it is still a lot slower with xul.dll, even though it is about 2-3 times faster than with EMET 5.1

 

Strange! I still have slow Firefox startups. Not as slow as with EMET 5.1 but still slow. If I remove xul.dll from EAF+ then FF starts "normally".

 

Same here. But I think a better approach is to import the popular software list in case it has been modified to solve any program incompatibilities in this new EMET version. Hopefully more mitigations are enabled for the programs in this list.

Instead of export/import old rules you could create a batch file where you add(or modify) rules after a new import of the popular software list. I posted an example on how to do this with the emet_conf utility. I run this specific example after installing a new Flash Player version, to add FlashPlayerPlugin*.exe to EMET.

 

+1 (8.1)

i agree