Researchers Beat Microsoft’s EMET

Tuesday, October 7, 2014 @ 09:10 PM gHale


For a second time Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) ended up bypassed.

Offensive Security researchers, which infiltrated EMET’s Version 4, examined the advanced security techniques employed in Microsoft’s EMET Version 5.

RELATED STORIES
Oil & Gas Firm Attacked
Middle East Petrochem Firms Targeted
APT: In Action for Six Years
IoT Devices Vulnerable to Attacks: Report

In an unattributed blog post, the researchers said the latest release of the tool introduced new features that voided their previous attack vectors against version 4.

” … we were curious to see how difficult it would be to adapt our previous disarming technique to this new version of EMET,” the researchers said in a blog post. “As we managed to successfully demonstrate, the difficulty in disarming EMET 5 mitigations has not increased substantially since version 4.x.

“More than anything, only our ROP (Return-Oriented Programming) chain has increased in size, while achieving the same effect of bypassing the protections offered by EMET.”

The hackers targeted 32-bit Windows systems including Windows 7 and 2008 running service pack one, Windows 8 and 8.1, service pack three and Windows 2003 service pack two.

The Internet Explorer 8 ColspanID vulnerability (MS12-037) for consistency which they used previously to disarm new ROP mitigations in EMET version 4 by targeting a global variable in the .data section located at a static offset.

Microsoft’s EMET aims to increase the complexity — and therefore the cost — of attacking Windows platforms by introducing defense technologies such as Address Space Layer Randomization and Data Execution Prevention.

In February, Microsoft released version 5 which introduced Attack Surface Reduction to help corporate security apply usage policies or block Java, Flash Player and third-party browser plug-ins. It also sported an improved Export Address Table Filtering and deep hooks mitigation by default.



Leave a Reply

You must be logged in to post a comment.