Skip to comments.Complete Microsoft EMET Bypass Developed
Posted on 02/25/2014 3:07:57 PM PST by zeugma
We at Bromium Labs regularly do security research on a variety of computer threats and protections. EMET (Enhanced Mitigation Experience Toolkit) is a free download provided by Microsoft to enhance the security of an endpoint PC. EMET helps protects userland (non-kernel) applications.
In particular, EMET adds special protections (for 32bit processes only) against a relatively new hacker technique known as ROP (return oriented programming). ROP based exploitation has been rampant in malware to bypass the ALSR+DEP protections. Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques. EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1. And thus, EMET particularly excels for older platforms like Windows XP.
Since EMET is growing in popularity, it is important to learn about its limitations, so security conscious users can create a better defense in depth strategy. So we decided to investigate EMETs strengths and weaknesses. Bromium Labs research was focused on further enhancing EMET-like exploit mitigation tools to better protect against future exploitation vectors.
We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit). But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET. We provide our full technical whitepaper here: [Bypassing EMET 4.1]. We provided our research to Microsoft before speaking about these problems publically. We also provided recommendations to upgrade the protections where possible.
The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection. This is true of EMET and other similar userland protections. Thats because a defense that is running in the same space as potentially malicious code can typically be bypassed, since theres no higher ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use.
Thank you to so many different people: Internal folks at Bromium for much help and support. External folks like Microsoft for working well with us when we submitted our EMET vulnerabilities to them. Theyve even offered to recognize us in the next (5.0) release of EMET. Thx!
I trust youll enjoy reading the full whitepaper detailing our research. Also, if you can, join me at BSidesSF 2014, on February 24 at 10 a.m. PT, to hear about our research live. And if you cant, Ive received multiple invites to speak on this matter at other conferences as well, so hopefully Ill see you around this year.
Looks like some folks have completely broken Microsoft's EMET (Enhanced Mitigation Experience Toolkit) product.
This is technical stuff, but the hackers are going to love it.
I am hardening my old XP computer to keep as a back up (stored off-line), in case I have to trouble shoot a problem with my new 8.1 laptop. I wouldn’t use it online except to go to grab what I need for a computer repair, and using all the protective software that I can, while doing it.
I downloaded EMET for it and used advice from this site, and other sites.
I don’t know what EMET is but I figure, every little bit helps.