Possible to Disable EMET 4.1

Tuesday, July 8, 2014 @ 05:07 PM gHale


Microsoft’s Enhanced Mitigation Toolkit (EMET) can end up deactivated and bypassed, researchers said.

The exploit hit the latest standard and updated version 4.1 of EMET designed to make attacks more complex and expensive through the use of Address Space Layout Randomization and Data Execution Prevention.

RELATED STORIES
Zero Day for Internet Explorer
Attack Alert: Rootkit Usage Should Grow
Data Breaches: Not Learning from History
Sounding Off on Internet of Things

Researchers at Offensive Security uploaded exploit code online which hit EMET protections increasingly touted by Microsoft as a means to mitigate new vulnerabilities in lieu of patches. Attacks using the method are yet to emerge.

“What this shows is that while EMET is definitely a good utility and raises the bar for exploit developers, it is not a silver bullet in stopping these types of attacks,” the researchers wrote in an unauthored blog post.

“Since bypassing EMET mitigations has been thoroughly discussed in Bypassing EMET 4.1 (PDF), we wanted to take a different approach. Instead of bypassing the mitigations introduced by EMET, we focused more on finding a way to disarm EMET,” the researchers said.

An EMET disarm was more beneficial to exploit writers than a bypass because it allowed the use of generic shellcode like those used in the Metasploit tool suite. It also meant protections would be disabled all at once rather than one at a time during exploit development.

Microsoft may be aware of the disarm technique as it appeared to have fixed it in EMET version 5 technical preview.

The researchers were working on disarming version 5 and would reveal details at Black Hat Las Vegas next month.

The exploit followed a series of research notes describing EMET bypass methods which worked under various conditions.

Users should consider updating to version 5.



Leave a Reply

You must be logged in to post a comment.