Security Experts:

Researchers Discover How to Disarm Microsoft EMET 5.0

Researchers at Offensive Security, the company that develops and maintains Kali Linux, have once again managed to disable the protection mechanisms provided by Microsoft's Enhanced Mitigation Experience Toolkit (EMET).

There are several papers on how to bypass EMET, but Offensive Security has focused on "disarming" the security tool. In July, the company announced that it had managed to disarm EMET 4.x. At the time, they noted that they had also found a way to disarm the technical preview version of EMET 5.0.

Microsoft's free security tool includes mitigation technologies such as Structured Exception Handler Overwrite Protection (SEHOP), Null page allocation, Data Execution Prevention (DEP), Heapspray Allocations, Export Address Table Access Filtering (EAF), Return Oriented Programming (ROP) and Mandatory Address Space Layout Randomization (ASLR). With the release of the final version of EMET 5.0 in late July, Microsoft introduced two new mitigations: Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+).

The changes made to the final version mitigated the attack method they disclosed in July, so Offensive Security researchers wanted to have another try at disarming EMET.

Researchers disabled the EMET 4.x protections by tweaking some previously described techniques. In EMET 5.0, some changes have been made, but experts still managed to disarm ROP, EAF and even the newly-introduced EAF+. The new ASR feature doesn't affect the exploit, Offensive Security said.

"As we managed to successfully demonstrate, the difficulty in disarming EMET 5 mitigations has not increased substantially since version 4.x. More than anything, only our ROP chain has increased in size, while achieving the same effect of bypassing the protections offered by EMET," the company said in a blog post.

The attack was successfully reproduced on Windows 7 SP1, Windows 2008 SP1, Windows 8, Windows 8.1, Windows XP SP3 and Windows 2003 SP2, Offensive Security said. The full exploit has been published on Exploit Database, and the company has also released a video demonstrating the attack.

Mati Aharoni, lead trainer and developer at Offensive Security, told SecurityWeek that they haven't notified Microsoft about their findings and Microsoft has never contacted them about their research.

"There is no one tool capable of preventing all attacks. EMET is designed to make it more difficult, expensive and time consuming, and therefore less likely, for attackers to exploit a system," a Microsoft spokesperson said in an emailed statement.

Aharoni noted that the level of sophistication for these exploits can be described as "medium," but his company has not seen any of the bypass exploits being used in the wild.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.