Researchers at Offensive Security, the company that develops and maintains Kali Linux, have once again managed to disable the protection mechanisms provided by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
There are several papers on how to bypass EMET, but Offensive Security has focused on “disarming” the security tool. In July, the company announced that it had managed to disarm EMET 4.x. At the time, they noted that they had also found a way to disarm the technical preview version of EMET 5.0.
Microsoft’s free security tool includes mitigation technologies such as Structured Exception Handler Overwrite Protection (SEHOP), Null page allocation, Data Execution Prevention (DEP), Heapspray Allocations, Export Address Table Access Filtering (EAF), Return Oriented Programming (ROP) and Mandatory Address Space Layout Randomization (ASLR). With the release of the final version of EMET 5.0 in late July, Microsoft introduced two new mitigations: Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+).
The changes made to the final version mitigated the attack method they disclosed in July, so Offensive Security researchers wanted to have another try at disarming EMET.
Researchers disabled the EMET 4.x protections by tweaking some previously described techniques. In EMET 5.0, some changes have been made, but experts still managed to disarm ROP, EAF and even the newly-introduced EAF+. The new ASR feature doesn’t affect the exploit, Offensive Security said.
“As we managed to successfully demonstrate, the difficulty in disarming EMET 5 mitigations has not increased substantially since version 4.x. More than anything, only our ROP chain has increased in size, while achieving the same effect of bypassing the protections offered by EMET,” the company said in a blog post.
The attack was successfully reproduced on Windows 7 SP1, Windows 2008 SP1, Windows 8, Windows 8.1, Windows XP SP3 and Windows 2003 SP2, Offensive Security said. The full exploit has been published on Exploit Database, and the company has also released a video demonstrating the attack.
Mati Aharoni, lead trainer and developer at Offensive Security, told SecurityWeek that they haven’t notified Microsoft about their findings and Microsoft has never contacted them about their research.
“There is no one tool capable of preventing all attacks. EMET is designed to make it more difficult, expensive and time consuming, and therefore less likely, for attackers to exploit a system,” a Microsoft spokesperson said in an emailed statement.
Aharoni noted that the level of sophistication for these exploits can be described as “medium,” but his company has not seen any of the bypass exploits being used in the wild.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
