bit-tech.net

Microsoft's EMET security tool bypassed

Microsoft's EMET security tool bypassed

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) has been bypassed by security researchers, who were able to quickly work around the protections it offers to Windows users.

Security researchers have broken through Microsoft's Enhanced Mitigation Experience Toolkit (EMET) security software, rendering the protections it offers moot in a move which will likely concern those who have not yet upgraded from previous generation of Windows.

Microsoft's EMET tool is often recommended as a means of preventing as-yet unpatched vulnerabilities from entirely taking over a system - as with the company's recent Internet Explorer zero-day, which can be protected against by installing the add-on. It offers particular protection on older Windows releases, adding certain security features - such as the enforcement of address randomisation and protections against return oriented programming for 32-bit processes - which are otherwise only available to users on the latest Windows 8.1 release.

Unfortunately, security researcher Jared DeMott of Bromium Labs claims to have discovered a means of bypassing EMET entirely. 'We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit),' DeMott explained in his announcement this week. 'But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET. We provide our full technical whitepaper here.'

Practising responsible disclosure, Bromium provided details of the exploits to Microsoft before going public and provided tips on how to improve the software. The underlying flaws, however, remain: 'The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection. This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there’s no “higher” ground advantage as there would be from a kernel or hypervisor protection.'

0 Comments

Discuss in the forums Reply
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums