Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Complete Microsoft EMET Bypass Developed
BR Labs ^ | February 24, 2014 | Jared DeMott

Posted on 02/25/2014 3:07:57 PM PST by zeugma

Bypassing EMET 4.1


We at Bromium Labs regularly do security research on a variety of computer threats and protections.  EMET (Enhanced Mitigation Experience Toolkit) is a free download provided by Microsoft to enhance the security of an endpoint PC.  EMET helps protects userland (non-kernel) applications.

In particular, EMET adds special protections (for 32bit processes only) against a relatively new hacker technique known as ROP (return oriented programming).  ROP based exploitation has been rampant in malware to bypass the ALSR+DEP protections. Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques.  EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1.  And thus, EMET particularly excels for older platforms like Windows XP.

Since EMET is growing in popularity, it is important to learn about its limitations, so security conscious users can create a better defense in depth strategy.  So we decided to investigate EMET’s strengths and weaknesses.  Bromium Labs research was focused on further enhancing EMET-like exploit mitigation tools to better protect against future exploitation vectors.

How Robust Are These Protections?

How Robust are these Protections?


We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit).  But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET?  And yes, we found ways to bypass all of the protections in EMET.  We provide our full technical whitepaper here: [Bypassing EMET 4.1].  We provided our research to Microsoft before speaking about these problems publically.  We also provided recommendations to upgrade the protections where possible.


The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection. This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there’s no “higher” ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use.


Thank you to so many different people:  Internal folks at Bromium for much help and support.  External folks like Microsoft for working well with us when we submitted our EMET vulnerabilities to them.  They’ve even offered to recognize us in the next (5.0) release of EMET.  Thx!

I trust you’ll enjoy reading the full whitepaper detailing our research. Also, if you can, join me at BSidesSF 2014, on February 24 at 10 a.m. PT, to hear about our research live.  And if you can’t, I’ve received multiple invites to speak on this matter at other conferences as well, so hopefully I’ll see you around this year.


TOPICS: Business/Economy; Crime/Corruption; News/Current Events
KEYWORDS: microsoft; virusmagnet
Saw a link to this on Slashdot today.

Looks like some folks have completely broken Microsoft's EMET (Enhanced Mitigation Experience Toolkit) product.

This is technical stuff, but the hackers are going to love it.

1 posted on 02/25/2014 3:07:58 PM PST by zeugma
[ Post Reply | Private Reply | View Replies]

To: zeugma

I am hardening my old XP computer to keep as a back up (stored off-line), in case I have to trouble shoot a problem with my new 8.1 laptop. I wouldn’t use it online except to go to grab what I need for a computer repair, and using all the protective software that I can, while doing it.

I downloaded EMET for it and used advice from this site, and other sites.

I don’t know what EMET is but I figure, every little bit helps.

2 posted on 02/25/2014 3:34:42 PM PST by ansel12 (Ben Bradlee -- JFK told me that "he was all for people's solving their problems by abortion".)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson