Attack code bypasses Microsoft zero-day protection software

Researchers have demonstrated methods to bypass EMET, suggesting that cybercriminals can do the same.
Written by Charlie Osborne, Contributing Writer

Researchers say they have developed malicious code which is able to bypass Microsoft's zero-day protection software, EMET.

The Enhanced Mitigation Experience Toolkit (EMET) is free software developed by the Redmond giant which is designed to protect user and enterprise systems from a number of vulnerabilities and exploits. Standard, basic protection -- certainly not perfect, but no software is -- but good enough for a number of older attacks and flaws.

However, exploit code developed by researchers at Bromium Labs (.pdf) circumvents a number of protections available within EMET, which means that hackers could also do the same in order to install malware or malicious code on to an unsuspecting user's computer.

Screen Shot 2014-02-25 at 08.03.22
Credit: Bromium Labs

A whitepaper published by the security firm on Monday night details the exploit. The proof of concept exploit code, shared with Microsoft before being made public, shows that there are limitations to the free software and includes real-world examples where damage control functions -- sprung after the detection of malicious code -- were fully bypassed.

While the researchers say that EMET excelled in stopping pre-existing memory corruption attacks and techniques which use return oriented programming (ROP) -- a facet many types of malware currently use -- it is best used with older platforms like Windows XP, as Windows 8.1 already utilizes a number of protections found in EMET separately.

According to Ars Technica, which viewed the presentation of the research at the BSides SF 2014 security conference in San Francisco, the researchers claimed that every protection EMET offered was torn apart, including stack pivot protection, export address table access filtering and the blocking of ROP.

In a blog post, Bromium researchers said:

"The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection. This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there's no 'higher' ground advantage as there would be from a kernel or hypervisor protection.

We hope this study helps the broader community understand the facts when making a decision about which protections to use."

While the software can be exploited, as a free solution and for end users, it is still sometimes worth using. Within the paper, the security team write:

"As was seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted. Thus, EMET is good for the price (free), but it can be bypassed by determined attackers. Microsoft freely admits that it is not a prefect protection, and comments from Microsoft speakers at conference talks admit that as well.

The objective of EMET is not perfection, but to raise the cost of exploitation. So the question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation?

The answer to that is likely dependent upon the value of the data being protected. For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits."

The current version of EMET, 4.1, is due for replacement by EMET 5 this year.

Editorial standards