Attackers can turn Microsoft’s exploit defense tool EMET against itself

Hackers can easily disable the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a free tool used by companies to strengthen their Windows computers and applications against publicly known and unknown software exploits.

Researchers from security vendor FireEye have found a method through which exploits can unload EMET-enforced protections by leveraging a legitimate function in the tool itself.

Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. However, it’s likely that many users haven’t upgraded yet, because the new version mainly adds compatibility with Windows 10 and doesn’t bring any new significant mitigations.

First released in 2009, EMET can enforce modern exploit mitigation mechanisms like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or Export Address Table Access Filtering (EAF) to applications, especially legacy ones, that were built without them. This makes it much harder for attackers to exploit vulnerabilities in those applications in order to compromise computers.

Security researchers have found various ways to bypass particular EMET-enforced mitigations over the years, but they were primarily the result of design and implementation errors, like some modules or APIs being left unprotected. Methods to disable EMET protections completely have also been reported in the past, but they were not always straight-forward and required significant effort.

The FireEye researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. Furthermore, it works against all supported versions of EMET — 5.0, 5.1 and 5.2 — with the exception of EMET 5.5, and also on versions that are no longer supported, like 4.1.

EMET injects some DLLs (Dynamic Link Libraries) into third-party application processes that it’s configured to protect. This allows it to monitor calls from those processes to critical system APIs and to determine if they are legitimate or the result of an exploit.

However, the tool also contains code that is responsible for unloading mitigations in a clean way, returning the protected processes to their initial state without causing malfunctions or crashes. It’s this feature that the FireEye researchers have figured out how to trigger from an exploit.

“One simply needs to locate and call this function to completely disable EMET,” they said in a blog post Tuesday. “In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

This is a significant new attack vector that’s easier to use than bypassing each of EMET’s individual protections as they were designed, they said.

Since this technique is now public, EMET users should consider upgrading to version 5.5 as soon as possible to avoid future attacks that might adopt it. In addition to Windows 10 compatibility, this new EMET version improves the configuration and management of protections through Group Policy and improves the performance for the EAF and EAF+ mitigations.