Connect with us

Hi, what are you looking for?



Researchers Discover How to Disarm Microsoft EMET 5.0

Researchers at Offensive Security, the company that develops and maintains Kali Linux, have once again managed to disable the protection mechanisms provided by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

Researchers at Offensive Security, the company that develops and maintains Kali Linux, have once again managed to disable the protection mechanisms provided by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

There are several papers on how to bypass EMET, but Offensive Security has focused on “disarming” the security tool. In July, the company announced that it had managed to disarm EMET 4.x. At the time, they noted that they had also found a way to disarm the technical preview version of EMET 5.0.

Microsoft’s free security tool includes mitigation technologies such as Structured Exception Handler Overwrite Protection (SEHOP), Null page allocation, Data Execution Prevention (DEP), Heapspray Allocations, Export Address Table Access Filtering (EAF), Return Oriented Programming (ROP) and Mandatory Address Space Layout Randomization (ASLR). With the release of the final version of EMET 5.0 in late July, Microsoft introduced two new mitigations: Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+).

The changes made to the final version mitigated the attack method they disclosed in July, so Offensive Security researchers wanted to have another try at disarming EMET.

Researchers disabled the EMET 4.x protections by tweaking some previously described techniques. In EMET 5.0, some changes have been made, but experts still managed to disarm ROP, EAF and even the newly-introduced EAF+. The new ASR feature doesn’t affect the exploit, Offensive Security said.

“As we managed to successfully demonstrate, the difficulty in disarming EMET 5 mitigations has not increased substantially since version 4.x. More than anything, only our ROP chain has increased in size, while achieving the same effect of bypassing the protections offered by EMET,” the company said in a blog post.

The attack was successfully reproduced on Windows 7 SP1, Windows 2008 SP1, Windows 8, Windows 8.1, Windows XP SP3 and Windows 2003 SP2, Offensive Security said. The full exploit has been published on Exploit Database, and the company has also released a video demonstrating the attack.

Advertisement. Scroll to continue reading.

Mati Aharoni, lead trainer and developer at Offensive Security, told SecurityWeek that they haven’t notified Microsoft about their findings and Microsoft has never contacted them about their research.

“There is no one tool capable of preventing all attacks. EMET is designed to make it more difficult, expensive and time consuming, and therefore less likely, for attackers to exploit a system,” a Microsoft spokesperson said in an emailed statement.

Aharoni noted that the level of sophistication for these exploits can be described as “medium,” but his company has not seen any of the bypass exploits being used in the wild.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.