Menu
Attackers can turn Microsoft's exploit defense tool EMET against itself

Attackers can turn Microsoft's exploit defense tool EMET against itself

Exploits can trigger a specific function in EMET that disables all protections it enforces for other applications

Hackers can easily disable the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a free tool used by companies to strengthen their Windows computers and applications against publicly known and unknown software exploits.

Researchers from security vendor FireEye have found a method through which exploits can unload EMET-enforced protections by leveraging a legitimate function in the tool itself.

Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. However, it's likely that many users haven't upgraded yet, because the new version mainly adds compatibility with Windows 10 and doesn't bring any new significant mitigations.

First released in 2009, EMET can enforce modern exploit mitigation mechanisms like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or Export Address Table Access Filtering (EAF) to applications, especially legacy ones, that were built without them. This makes it much harder for attackers to exploit vulnerabilities in those applications in order to compromise computers.

Security researchers have found various ways to bypass particular EMET-enforced mitigations over the years, but they were primarily the result of design and implementation errors, like some modules or APIs being left unprotected. Methods to disable EMET protections completely have also been reported in the past, but they were not always straight-forward and required significant effort.

The FireEye researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. Furthermore, it works against all supported versions of EMET -- 5.0, 5.1 and 5.2 -- with the exception of EMET 5.5, and also on versions that are no longer supported, like 4.1.

EMET injects some DLLs (Dynamic Link Libraries) into third-party application processes that it's configured to protect. This allows it to monitor calls from those processes to critical system APIs and to determine if they are legitimate or the result of an exploit.

However, the tool also contains code that is responsible for unloading mitigations in a clean way, returning the protected processes to their initial state without causing malfunctions or crashes. It's this feature that the FireEye researchers have figured out how to trigger from an exploit.

"One simply needs to locate and call this function to completely disable EMET," they said in a blog post Tuesday. "In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET's installed hooks."

This is a significant new attack vector that's easier to use than bypassing each of EMET's individual protections as they were designed, they said.

Since this technique is now public, EMET users should consider upgrading to version 5.5 as soon as possible to avoid future attacks that might adopt it. In addition to Windows 10 compatibility, this new EMET version improves the configuration and management of protections through Group Policy and improves the performance for the EAF and EAF+ mitigations.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments