Attack code bypasses Microsoft zero-day protection software

Attack code bypasses Microsoft zero-day protection software

Summary: Researchers have demonstrated methods to bypass EMET, suggesting that cybercriminals can do the same.

SHARE:
TOPICS: Security, Microsoft
9
it-security

Researchers say they have developed malicious code which is able to bypass Microsoft's zero-day protection software, EMET.

The Enhanced Mitigation Experience Toolkit (EMET) is free software developed by the Redmond giant which is designed to protect user and enterprise systems from a number of vulnerabilities and exploits. Standard, basic protection -- certainly not perfect, but no software is -- but good enough for a number of older attacks and flaws.

However, exploit code developed by researchers at Bromium Labs (.pdf) circumvents a number of protections available within EMET, which means that hackers could also do the same in order to install malware or malicious code on to an unsuspecting user's computer.

Screen Shot 2014-02-25 at 08.03.22
Credit: Bromium Labs

A whitepaper published by the security firm on Monday night details the exploit. The proof of concept exploit code, shared with Microsoft before being made public, shows that there are limitations to the free software and includes real-world examples where damage control functions -- sprung after the detection of malicious code -- were fully bypassed.

While the researchers say that EMET excelled in stopping pre-existing memory corruption attacks and techniques which use return oriented programming (ROP) -- a facet many types of malware currently use -- it is best used with older platforms like Windows XP, as Windows 8.1 already utilizes a number of protections found in EMET separately.

According to Ars Technica, which viewed the presentation of the research at the BSides SF 2014 security conference in San Francisco, the researchers claimed that every protection EMET offered was torn apart, including stack pivot protection, export address table access filtering and the blocking of ROP.

In a blog post, Bromium researchers said:

"The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection. This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there's no 'higher' ground advantage as there would be from a kernel or hypervisor protection.

We hope this study helps the broader community understand the facts when making a decision about which protections to use."

While the software can be exploited, as a free solution and for end users, it is still sometimes worth using. Within the paper, the security team write:

"As was seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted. Thus, EMET is good for the price (free), but it can be bypassed by determined attackers. Microsoft freely admits that it is not a prefect protection, and comments from Microsoft speakers at conference talks admit that as well.

The objective of EMET is not perfection, but to raise the cost of exploitation. So the question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation?

The answer to that is likely dependent upon the value of the data being protected. For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits."

The current version of EMET, 4.1, is due for replacement by EMET 5 this year.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • LOL!

    Article:
    "every protection EMET offered was torn apart, including stack pivot protection, export address table access filtering and the blocking of ROP."
    Rabid Howler Monkey
  • NOT AT ALL

    This test is silly. Open a command prompt and run a EXE program? That is a Bull Sh!t test. Of course if you had direct access you could trash anyones computer on any operating system. Whats next - pressing the delete key causes files to be deleted - oh no!
    Sean Foley
    • Are you serious?

      I do hope you're trolling - for your own sake.
      Zogg
    • Read the linked White paper

      They used a security bug in IE (of all apps), to remotely take over a computer, with the latest (at the imd of said paper) version of EMET. Buy wave those "Spirit balls" (Pom-Poms), and sour "Microsoft is perfect, and Death to those that insult Microsoft, or the Prophet Ballmer."
      I hate trolls also
      • Where's the edit feature?

        Honestly between Auto correct, and no edit function.

        They used a security bug in IE (of all apps), to remotely take over a computer, with the latest (at the time of said paper) version of EMET. But wave those "Spirit balls" (Pom-Poms), and shout "Microsoft is perfect, and Death to those that insult Microsoft, or the Prophet Ballmer."
        I hate trolls also
  • Is this really a surprise?

    Pretty much all the supposed enhanced security features that Microsoft touted for Windows 7, like ASLR and DEP, have been defeated, so why should EMET be any different?
    JustCallMeBC
    • DEP can be defeated because it allows programs to "opt out".

      The obvious solution is therefore to remove that "opt out":

      bcdedit.exe /set {current} nx AlwaysOn

      And then reboot.
      Zogg
  • We, the herd....

    So, what do we, the herd do now? We're not researchers, we're not malware writers, we are users. We run programs and read emails and explore sites. So, what do you want us to do differently other than turn it all OFF.
    trm1945
    • Well...

      ... we could do worse than spend some time gazing at Charlie's pic I guess... just sayin' :)
      btone-c5d11