New attack completely bypasses Microsoft EMET

Researchers have developed attack code that completely bypasses Microsoft’s zero-day prevention software, an impressive feat that suggests criminal hackers are able to do the same thing when exploiting vulnerabilities that allow them to surreptitiously install malware.

The exploit code, which was developed by researchers from security firm Bromium Labs, bypasses each of the many protections included in the freely available EMET, which is short for Enhanced Mitigation Experience Toolkit, according to a whitepaper published Monday. Microsoft has long held out EMET as an important tool for extending the security of Windows computers. The proof-of-concept exploit shows the limitations of those protections. The Bromium exploit included an example of a real-world attack that was able to circumvent techniques designed to mitigate the damage malicious code can do when targeting security bugs included in third-party applications.

“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection,” Bromium Labs researchers wrote in a blog post. “This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there’s no ‘higher’ ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use.”

The Bromium research was presented Monday at the BSides SF 2014 security conference in San Francisco. The researchers said their attack was able to slice through each of the protections available in EMET, including stack pivot protection, export address table access filtering, and measures to block a malicious coding technique known as return-oriented programming. The researchers privately informed security personnel at Microsoft before going public with their findings; the software giant plans to credit the research when releasing the upcoming version 5 of EMET. Among the researchers who developed the exploit was Jared Demott, who earned third place in the Bluehat contest, in which Microsoft paid cash awards for the creation of exploit mitigations.

Microsoft worked with Bromium on the original research, Jonathan Ness, principal security development manager in Microsoft’s Trustworthy Computing group said in a statement. What’s more, EMET 4.1, which was released several months ago, already contained a setting to address some issues and help customers. Ness didn’t answer Ars’s question asking when EMET 5 would be released. Despite Microsoft’s work to update EMET, the Bromium Labs researchers warned that there may not be much Microsoft developers can do to fix some weaknesses.

“The bypasses leverage generic limitations, and are not easily repaired,” they wrote.

As complete and effective as the Bromium Labs exploit is, the researchers said that EMET may still be worth using, depending on the specific computers being protected. They explained:

However, as was seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted. Thus, EMET is good for the price (free), but it can be bypassed by determined attackers. Microsoft freely admits that it is not a perfect protection, and comments from Microsoft speakers at conference talks admit that as well. The objective of EMET is not perfection, but to raise the cost of exploitation. So the question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation? The answer to that is likely dependent upon the value of the data being protected. For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits.

A recent in-the-wild attack that exploited a previously undocumented vulnerability in Internet Explorer was designed to remain dormant on machines running EMET. The takeaway from Monday’s disclosure should be that EMET remains an effective—but by no means infallible—protection.

I never really used EMET… I just couldn’t figure out how to configure it correctly or if it was even working, besides it messed with some of my daily applications and I couldn’t figure out how to get it to stop so I tossed it out… Nevertheless that’s some good information, thanks for sharing. :slight_smile:

I hold the belief that just because something doesn’t protect you to 100% that doesn’t mean you shouldn’t use it, mainly because it will still protect you from a large percentage of attacks, just because it can’t stop some does that mean you would want to toss it out and allow all attacks? No of course not, some protection is better than no protection, even if I can’t figure out how to use it. ;D

No surprise here really, thanks for the info. EMET 4.1 took for ever to come out!

EMET 5? It will take even longer LOL! EMET is a good extra layer of security but it can mess up few things yes.

How do these new attacks affect Malwarebytes Anti-Exploit, is it affected as well or can it protect against them ?

Good Q. No A to that so far… 88)

This just proves no matter what you do or use that the best approach to security is using our own common sense, and to use security software like CIS as additional protection NOT the first line of defence, if we can use common sense in how we browse and where we browse, what we download and where we download, this can go a long way to reduce the threat and types of threat that CIS and other security software will finally have to deal with if something still slips through, we shouldn’t be relying on security software fullstop, always going to be something that could possible bypass it, need to learn to protect ourselves with how we behave while online :slight_smile: