Bromium Labs says it bypassed protections in Microsoft's EMET

Feb 25, 2014 by Nancy Owano report

Good news: Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is, as its title suggests, an anti-exploit tool and a free download, provided by Microsoft, to enhance the security of an endpoint PC. Bromium Labs news: Its research team bypassed all protections.

Bromium studied EMET 4.0 and 4.1. The Cupertino, California-based security company presented its findings Monday in the Bromium Labs blog and in a technical whitepaper, "Bypassing EMET 4.1." In deciding to take up EMET, Jared DeMott, security researcher and author of the paper, noted how good EMET was at stopping pre-existing memory corruption attacks, a type of exploit, but "we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET?"

They found ways to bypass all EMET protections. They said they used a typical modern computer, and focused on "32-bit userland processes running on 64-bit Windows 7." They said they successfully bypassed EMET's protections in example code and with a real-world browser exploit. A conclusion that the tool would not be effective against determined attackers needs to place an accent on the word determined. DeMott wrote in the paper that, "as seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted." In gaining perspective, DeMott added, "The question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation? The answer to that is likely dependent upon the value of the data being protected."

The whitepaper was provided to Microsoft before speaking about the research findings publicly, according to DeMott. Meanwhile, Microsoft on Tuesday issued news and offer of download of its EMET 5.0 Technical Preview. The announcement from the "EMET team" said, "Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET." The Technical Preview, said Microsoft, introduces new features and enhancements expected to be components of the final EMET 5.0 release.

"We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical implementation." The new features are the Attack Surface Reduction (ASR) and the Export Address Table Filtering Plus (EAF+).

Microsoft included Bromium Labs in its acknowledgments. "We'd like to thank Spencer J. McIntyre from SecureState, Jared DeMott from Bromium Labs, along with Peleus Uhley and Ashutosh Mehra from the Adobe Security team for their collaboration on the EMET 5.0 Technical Preview."

Explore further: Adobe Flash Player updates confront zero-day exploit

More information: bromiumlabs.files.wordpress.co… passing-emet-4-1.pdf
labs.bromium.com/2014/02/24/bypassing-emet-4-1/
blogs.technet.com/b/srd/archiv… chnical-preview.aspx

add to favorites email to friend print save as pdf

Related Stories

Internet Explorer users are warned against Poison Ivy

Sep 18, 2012

(Phys.org)—More than a few Internet Explorer users stand vulnerable to fresh attacks of Poison Ivy. In the latest headline in the "Internet Explorer has a flaw" saga, a security hole in Internet Explorer ...

Adobe Flash Player updates confront zero-day exploit

Feb 21, 2014

(Phys.org) —An Adobe Flash exploit has targeted three sites. Adobe Systems on Thursday announced knowledge of the exploit and what steps to take. The company assigned the CVE identifier CVE-2014-0502 to ...

Windows 'Blue' set to preview June 26

May 14, 2013

The tweaked version of Microsoft's operating system nicknamed Windows Blue will be previewed on June 26 and will be a free update for users as Windows 8.1, the company said Tuesday. ...

Bromium sets up business net around malware (Update)

Sep 19, 2012

(Phys.org)—Bromium has announced the availability of a product intended to make a significant difference in how enterprises cope with relentless attempts to attack their systems with malware, burdening ...

Recommended for you

Does your computer know how you're feeling?

Aug 22, 2014

Researchers in Bangladesh have designed a computer program that can accurately recognize users' emotional states as much as 87% of the time, depending on the emotion.

Microsoft to unveil new Windows software

Aug 21, 2014

A news report out Thursday indicated that Microsoft is poised to give the world a glimpse at a new-generation computer operating system that will succeed Windows 8.

Unlocking the potential of simulation software

Aug 21, 2014

With a method known as finite element analysis (FEA), engineers can generate 3-D digital models of large structures to simulate how they'll fare under stress, vibrations, heat, and other real-world conditions.

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Vviper
5 / 5 (1) Feb 25, 2014
What's next, phys org is going to start reporting on Adobe exploits? You can't have millions of lines of code without error- even if it is a security feature designed not to be bypassed and there just so happens to be an exploit for every feature.
alfie_null
5 / 5 (2) Feb 26, 2014
What's next, phys org is going to start reporting on Adobe exploits?

Uhh - this is technology news. They do report on technology. It's one of the topics in the banner at the top of the page.
You can't have millions of lines of code without error- even if it is a security feature designed not to be bypassed and there just so happens to be an exploit for every feature.

You can't have nuclei full of a gazillion genes without having a few faults. Maybe they should stop reporting on cancer and genetic disease also?
Rimino
Feb 26, 2014
This comment has been removed by a moderator.
kris2lee
5 / 5 (1) Feb 26, 2014
It's always easier to destroy something rather than to develop something new from scratch. It's nice, when the scientists break the protection of commercial software and anounce the public instruction for hackers how to do it - but to develop such a protection by itself is apparently task of different level.


If protection did not work, then there was not protection, only illusion of protection.

When scientists do not try to break this and report the findings to the public, somebody else will do this and keep the findings for themselves to exploit.

When the problems with the software are known, then it would be possible to fix it or stop using said software.