Subsystem can Bypass EMET Security

Wednesday, November 4, 2015 @ 02:11 PM gHale

A Windows subsystem used to support 32-bit applications on 64-bit architectures can end up used to bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) security measures.

WoW64, or “Windows 32-bit on Windows 64-bit,” is a subsystem for recent versions of the Windows operating system, which allow Windows 64-bit versions to run applications designed for 32-bit processors. WoW64 plays a crucial part in the Windows OS, working as a legacy layer that allows older tools to run on more modern hardware and software.

Microsoft Patches Windows, IE, Edge, Office
OWA Server Attacked
Unsupported ICS: Not an Easy Upgrade
Age of New and Different

EMET is a collection of security measures packed into one single tool, which Microsoft uses to mitigate and protect Windows computers from vulnerabilities found in third-party applications.

In previous years, security researchers have shown various other exploit mitigation tools and antivirus solutions lose their effectiveness when running on the WoW64 subsystem.

Security researchers from Duo Labs found the same is now true for Microsoft’s EMET, which, unlike previous studies, can end up bypassed with a single line of code.

As Duo Labs researchers explain, the problem relies on the fact EMET focused on inspecting 32- and 64-bit processes. What it does not cover as efficiently is WoW64 processes.

This opens the door for more targeted attacks, where malware can specifically search for WoW64 processes, bypass EMET, and then leverage known vulnerabilities in older 32-bit software.

Duo Labs researchers said EMET is not at fault here, but Microsoft’s OS design choices, which contradict themselves, are. On one hand, the company is adding more and more top-of-the-line security measures into its OS, they are also undermining all of them by allowing legacy software to still run on the system.

Researchers’ recommendation is for users to use 64-bit software whenever possible, and for Microsoft to continue to develop EMET, optimally adding support for WoW64 processes.

“Moving forward, we urge more researchers to treat WoW64 as a unique architecture when considering an application’s threat model,” say Duo Labs researchers. “Under optimal conditions, EMET continues to raise the bar for exploitation. As such, it is still an important part of a defense-in-depth strategy.”

Click here for the Duo Labs’ report.