Security Experts:

Researchers Adapt Old Techniques to Bypass Microsoft EMET 5.1 Protections

Two independent research groups have already managed to bypass the protection mechanisms provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET).

Microsoft released EMET 5.1 on November 10, and the latest version addresses several compatibility issues, and brings enhanced protection. The company says mitigations have been improved and hardened to make them more resilient to attacks and bypasses.

However, roughly one week after the release of EMET 5.1, researchers claim to have found ways to bypass the security tool's protections.

Offensive Security disables all protections

Researchers at Offensive Security, who previously found ways to disarm both EMET 4.1 and EMET 5.0, have published a proof-of-concept video and an exploit that has been successfully tested on the 32-bit versions of Windows 7 SP1, Windows 2008 SP1, Windows 8, and Windows 8.1.

In the past, the security firm disarmed EMET by leveraging a global variable that acts as a switch for enabling and disabling mitigations. The said variable is better protected in EMET 5.1 and it has been placed on a read-only memory page, but researchers found a way to disable all the protection mechanisms by making the memory page writable.

"We started looking at EMET since version 4.0 and it’s come a long way since. There’s no doubt that Microsoft are stepping up their efforts at making EMET ever more effective. This sort of layered defense goes a long way in disrupting commodity attacks and increasing the level of effort required for successful exploitation," Offensive Security wrote in a blog post.

SEC Consult "jumps" over protections

SEC Consult Vulnerability Lab, which last month published a video demonstrating that its researchers got around the basic protection mechanisms of EMET 5.0, has managed to hack the latest version as well. Rene Freingruber of SEC Consult has been credited by Microsoft for his assistance in improving EMET.

Similar to Offensive Security, SEC Consult has managed to break EMET 5.1 by adapting the techniques used against EMET 5.0. The exploitation techniques used by the security firms are similar, but SEC Consult uses a different approach. Instead of disabling all protections, SEC Consult says it has "jumped" over them.

SEC Consult has reported its findings to Microsoft, but the company says it hasn't receive any information regarding an update that addresses the issues. The company will disclose additional details at the DeepSec security conference that takes place this week in Vienna, Austria. 

"With the techniques developed by Rene Freingruber from SEC Consult Vulnerability Lab he managed to bypass all protection mechanisms separately in a reliable way. A demo exploit works against all Windows operating systems starting from XP SP0 x86 until Windows 8.1 x64 bit and against all EMET versions (3.5, 4.0, 4.1, 5.0 and 5.1 were verified)," SEC Consult representatives told SecurityWeek.

"In addition it's possible to defeat many protections with small changes in the exploit code in a very easy way. E.g. one bypass vector developed by SEC Consult just jumps over all EMET-protection code directly to the code which should be called. The only major change of the bypass exploit developed by the SEC Consult Vulnerability Lab was the way of finding EMET.dll in memory," they added.

SEC Consult told SecurityWeek that it's difficult for Microsoft to address their attack method.

"Our exploit was developed with a configuration file where we can specify which techniques should be used to bypass which protections. Even if Microsoft would patch these 'simple tricks' our exploit would still keep working. If Microsoft would implement all protections mentioned in our talk, it would still be possible to adapt our exploit with minimal effort (based on our effort already spent)," SEC Consult's Johannes Greil explained.

Greil says they are only releasing limited information to prevent abuse by malicious actors.

"We do not want to support attackers by publishing reliable working exploitation code. That's why we have chosen to provide information about our research only in the slides where interested researchers can find further information," Greil said. "Additionally, our demonstrated bypass techniques were implemented for an older Firefox vulnerability which should have been patched by everyone now in order to protect them. It would also be possible to implement our bypass techniques on top of EMET resulting in easy-to-reuse code. Instead, we implemented everything on top of a Firefox module which allows us to share the information without providing easy-to-reuse code for malicious attackers."

Microsoft's Response

Contacted by SecurityWeek, Microsoft has provided the "standard" statement for when researchers bypass or disarm EMET.

"There is no one tool capable of preventing all attacks. EMET is designed to make it more difficult, expensive and time consuming, and therefore less likely, for attackers to exploit a system," a Microsoft spokesperson said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.