Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Windows Subsystem Used to Bypass Microsoft EMET

Researchers have once again managed to bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), this time by leveraging the Windows subsystem WoW64.

Researchers have once again managed to bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), this time by leveraging the Windows subsystem WoW64.

WoW64 (Windows 32-bit on Windows 64-bit) is a compatibility layer in Windows designed to allow unmodified 32-bit applications to run on 64-bit systems. While it’s very useful, researchers demonstrated in the past that WoW creates an attack surface that can be used by malicious actors to bypass antivirus software and exploit mitigations.

Researchers at two-factor authentication (2FA) solutions provider Duo Security have found a way to use WoW64 to bypass Microsoft EMET, a tool designed to make it more difficult and more expensive for attackers to exploit a system.

While EMET bypass methods have been presented several times in the past, Duo Security says its method can be used to bypass all payload execution and return-oriented programming (ROP) mitigations in one shot, in a generic, app-independent way.

According to Duo Security, 80 percent of browsers are 32-bit processes running under WoW64 on a 64-bit system. This is relevant in this case as web browser exploitation is one of the most common vectors used by malicious actors to breach systems.

In order to demonstrate their findings, researchers modified an existing exploit for a use-after-free vulnerability in Adobe Flash Player (CVE-2015-0311). They successfully reproduced the bypass on a 64-bit version of Windows 7 running Internet Explorer 10 and the latest versions of EMET, 5.2 and 5.5 beta.

“While EMET provides support for both 32 and 64-bit processes, as a limitation of its design, it does not explicitly handle the special case of WoW64 processes. This makes using a 64-bit ROP chain and secondary stage a relatively straightforward method for bypassing a significant number of EMET’s mitigations,” Duo Security explained in its research paper. “Furthermore, 64-bit editions of EMET do not support any of the ROP-related mitigations, further limiting EMET’s effectiveness on 64-bit processes. It appears that due to these limitations, enhancing EMET to overcome them is likely a non-trivial effort.”

Darren Kemp, researcher at Duo Security, has pointed out that the paper’s goal is not to undermine the importance of EMET’s role in defending organizations against cyberattacks, but to highlight shortcomings in the current version.

Advertisement. Scroll to continue reading.

“EMET is largely effective at complicating a variety of exploitation techniques in true 32- and 64-bit applications, often requiring attackers to find a solution to each mitigation on a case- by-case basis. Most off-the-shelf exploits will fail in the face of EMET mitigations,” Duo Security said. “But due to the architectural quirks of the WoW64 subsystem, mitigations provided by EMET are significantly less effective due to the way they are inserted into the process. Fixing this issue requires significant modifications to how EMET works.”

Microsoft has provided the following statement: We continue to research new mitigations to integrate into the Enhanced Mitigation Experience Toolkit (EMET). Deploying EMET helps make it more difficult for attackers to exploit a system, which moves the balance of power in the customer’s favor.

*Updated with statement from Microsoft

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.