Testers Bypass Every Barrier in Microsoft’s EMET

Microsoft’s EMET turns out to be a better deterrent.

A Microsoft application designed to counter the threat of unseen flaws in Windows security turns out to have a potentially fatal flaw of its own.

Microsoft’s Enhanced mitigation Experience Toolket (EMET), which is supposed to stop malware it can’t see by making it impossible for malicious functions to succeed, doesn’t always stop those attacks. When it does stop them, it acts in ways that are predictable enough that malware writers are able to change their attacks enough to succeed anyway, according to Rahul Kashyap, chief security architect at Bromium, quoted in a story in the Threatpost from Kaspersky Security.

“We analyzed all of the protections, and took an IE exploit and then we kept on tweaking the exploit payload until we were able to bypass all the mitigations available in EMET,” Kashyap said. “Everything is bypassed in its latest version.”

EMET was designed to stop zero-day exploits, or attacks based on security flaws discovered by attackers that Microsoft doesn’t know about or hadn’t yet patched.

It has been very effective over many versions and in many ways, Kashyap said, not least of which is forcing malware writers to use more sophisticated attacks to be effective. The latest version of EMET, however, version 4.1, is simply not as effective as previous versions, or is showing signs of age by being too rigid in approach to counter unknown threats. “Each EMET rule is a check for a certain behavior,” according to the conclusion of Bromium security researcher Jared DeMott, in a white paper posted Feb. 24. “If alternate behaviors can achieve the attacker objectives, bypasses are possible.”

EMET works – when it does – using techniques that boil down to the consistent enforcement of enforcing best-practice guidelines for software behavior – checking the validity of an application’s security certificates, preventing them from launching or hijacking drivers or software modules already launched by the OS, or by keeping them from claiming specific chunks of memory to keep malware writers from knowing where and with what resources their apps will be able to launch. If applications could bypass or ignore EMET’s requirements, one of Microsoft’s most-effective countermeasures would lose its place as a cop keeping order in an unruly crowd, and turn into just another bystander watching troublemakers start a riot or steal things off the walls.

The Bromium team started by testing EMET’s ability to stop return-oriented programming (ROP) techniques – testing a countermeasure that won its author second prize in Microsoft’s BlueHat Prize countermeasure-programming competition. It didn’t stop test apps from ROPing all they wanted. Other ROP countermeasures also failed, either immediately or after the exploit was modified. All the other countermeasures got the same treatment, with the same result – LoadLibrary, MemProt, Caller, SimExecFlow, StackPivot.

In each case, when EMET was able to stop the attack, the Bromium researchers were able to modify the exploit to succeed anyway. “The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,” DeMott wrote. That doesn’t mean EMET is worthless, he continued. It does require attackers to work harder, modify their payloads and put more effort into an attack, which could persuade many to try easier targets.

Many malicious apps – including the BlackPOS used to create the Target data breach that claimed 40 million payment card accounts – include logic that checks for EMET controls and gives up if they’re present. “EMET is good for the price (free),” DeMott wrote. “Microsoft freely admits that [EMET] is not perfect protection… The objective of EMET is to raise the cost of exploitation. So the question really is not ‘can EMET be bypassed?’ Rather, ‘Does EMET sufficiently raise the cost of exploitation?’

“The answer to that is likely dependent upon the value of the data being protected,” DeMott’s report concludes. “For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits.”


Image: Shutterstock.com/Maksim Kabakou