Connect with us

Hi, what are you looking for?



Researchers Bypass Microsoft EMET Exploit Protections

Security researchers at Bromium have poked holes in the armor of Microsoft’s Enhanced Mitigation Experience Toolkit.

Security researchers at Bromium have poked holes in the armor of Microsoft’s Enhanced Mitigation Experience Toolkit.

In a new whitepaper, the firm lays out how to bypass the toolkit’s memory protections. In particular, it includes protections (for 32bit processes only) against return-oriented programming.

“ROP based exploitation has been rampant in malware to bypass the ALSR+DEP [address layout space randomization and data execution prevention] protections,” blogged Jared DeMott, a researcher with Bromium and the author of the whitepaper. “Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques.  EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1.  And thus, EMET particularly excels for older platforms like Windows XP.”

“We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit),” he continued. “But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET?  And yes, we found ways to bypass all of the protections in EMET.”

The study focuses on EMET 4.0 and 4.1. The exploit described in the paper bypasses all 12 EMET protections, with particular attention being paid to the stack pivot protection. That was avoided it by using a pop-copy to the stack, a second pivot to the stack to execute critical ROP code and a final “jump back to an EMET friendly payload,” DeMott explained in the paper.

Other key defenses defeated by the exploit include export address filtering (EAF), which was disabled by clearing the debug registers. The final checks were bypassed by calling an unprotected version of VirtualProtect 20.

“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection,” DeMott blogged. “This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there’s no “higher” ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use.”

Advertisement. Scroll to continue reading.

This is not the first time EMET has been in the sights of researchers. Aaron Portnoy, co-founder of Exodus Intelligence, gave a presentation at SummerCon in 2013 that detailed EMET bypasses as well. In addition, this year’s upcoming Pwn2Own contest at CanSecWest is slated to include a $150,000 prize for any researcher that  can exploit Internet Explorer 11, Windows 8.1 and EMET.

Rahul Kashyap, chief security architect and head of security research at Bromium, said Microsoft is slated to have a fix for the situation uncovered by the firm in EMET’s next release. 

“Just like any other tool that relies on heuristics or known exploitation mechanisms, EMET is also vulnerable to such attacks,” he said. “[EMET] is definitely a layer of protection, but it’s important to know the limitations of each layer as we architect it and that was the goal of this research.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.