Bromium Labs says it bypassed protections in Microsoft's EMET

February 25, 2014 by Nancy Owano report

Good news: Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is, as its title suggests, an anti-exploit tool and a free download, provided by Microsoft, to enhance the security of an endpoint PC. Bromium Labs news: Its research team bypassed all protections.

Bromium studied EMET 4.0 and 4.1. The Cupertino, California-based security company presented its findings Monday in the Bromium Labs blog and in a technical whitepaper, "Bypassing EMET 4.1." In deciding to take up EMET, Jared DeMott, security researcher and author of the paper, noted how good EMET was at stopping pre-existing memory corruption attacks, a type of exploit, but "we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET?"

They found ways to bypass all EMET protections. They said they used a typical modern computer, and focused on "32-bit userland processes running on 64-bit Windows 7." They said they successfully bypassed EMET's protections in example code and with a real-world browser exploit. A conclusion that the tool would not be effective against determined attackers needs to place an accent on the word determined. DeMott wrote in the paper that, "as seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted." In gaining perspective, DeMott added, "The question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation? The answer to that is likely dependent upon the value of the data being protected."

The whitepaper was provided to Microsoft before speaking about the research findings publicly, according to DeMott. Meanwhile, Microsoft on Tuesday issued news and offer of download of its EMET 5.0 Technical Preview. The announcement from the "EMET team" said, "Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET." The Technical Preview, said Microsoft, introduces new features and enhancements expected to be components of the final EMET 5.0 release.

"We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical implementation." The new features are the Attack Surface Reduction (ASR) and the Export Address Table Filtering Plus (EAF+).

Microsoft included Bromium Labs in its acknowledgments. "We'd like to thank Spencer J. McIntyre from SecureState, Jared DeMott from Bromium Labs, along with Peleus Uhley and Ashutosh Mehra from the Adobe Security team for their collaboration on the EMET 5.0 Technical Preview."

Explore further: Internet Explorer users are warned against Poison Ivy

More information:

Related Stories

Internet Explorer users are warned against Poison Ivy

September 18, 2012

(—More than a few Internet Explorer users stand vulnerable to fresh attacks of Poison Ivy. In the latest headline in the "Internet Explorer has a flaw" saga, a security hole in Internet Explorer 7,8, and 9 is ...

Bromium sets up business net around malware (Update)

September 19, 2012

(—Bromium has announced the availability of a product intended to make a significant difference in how enterprises cope with relentless attempts to attack their systems with malware, burdening IT departments and ...

Windows 'Blue' set to preview June 26

May 14, 2013

The tweaked version of Microsoft's operating system nicknamed Windows Blue will be previewed on June 26 and will be a free update for users as Windows 8.1, the company said Tuesday.

Adobe Flash Player updates confront zero-day exploit

February 21, 2014

( —An Adobe Flash exploit has targeted three sites. Adobe Systems on Thursday announced knowledge of the exploit and what steps to take. The company assigned the CVE identifier CVE-2014-0502 to the vulnerability. ...

Recommended for you

Magnetic fields provide a new way to communicate wirelessly

September 1, 2015

Electrical engineers at the University of California, San Diego demonstrated a new wireless communication technique that works by sending magnetic signals through the human body. The new technology could offer a lower power ...


Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (1) Feb 25, 2014
What's next, phys org is going to start reporting on Adobe exploits? You can't have millions of lines of code without error- even if it is a security feature designed not to be bypassed and there just so happens to be an exploit for every feature.
5 / 5 (2) Feb 26, 2014
What's next, phys org is going to start reporting on Adobe exploits?

Uhh - this is technology news. They do report on technology. It's one of the topics in the banner at the top of the page.
You can't have millions of lines of code without error- even if it is a security feature designed not to be bypassed and there just so happens to be an exploit for every feature.

You can't have nuclei full of a gazillion genes without having a few faults. Maybe they should stop reporting on cancer and genetic disease also?
Feb 26, 2014
This comment has been removed by a moderator.
5 / 5 (1) Feb 26, 2014
It's always easier to destroy something rather than to develop something new from scratch. It's nice, when the scientists break the protection of commercial software and anounce the public instruction for hackers how to do it - but to develop such a protection by itself is apparently task of different level.

If protection did not work, then there was not protection, only illusion of protection.

When scientists do not try to break this and report the findings to the public, somebody else will do this and keep the findings for themselves to exploit.

When the problems with the software are known, then it would be possible to fix it or stop using said software.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.