Forgot your password?
typodupeerror
Windows Bug Security

Complete Microsoft EMET Bypass Developed 116

Posted by Unknown Lamer
from the just-a-teeny-tiny-bug dept.
msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."
This discussion has been archived. No new comments can be posted.

Complete Microsoft EMET Bypass Developed

Comments Filter:
  • Beta is a PAIN! (Score:1, Informative)

    by Anonymous Coward on Monday February 24, 2014 @11:19PM (#46330945)

    Pre beta I can read the complete (in most cases) text without leaving the main page. With Beta I have to queue the (perhaps interesting) readings in tabs and then review them (in order to avoid the back-and-forth). Bad UI, bad UX, bad design. Takes so much longer that I may just quit reading this site.

  • by TapeCutter (624760) on Monday February 24, 2014 @11:59PM (#46331179) Journal

    You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.

    Utter nonesense, when was the last time you installed windows? - 1998?

  • by Anonymous Coward on Tuesday February 25, 2014 @01:06AM (#46331495)

    I disagree. It is like changing the SSH port.

    It gives the *illusion* of security, which makes people slack. E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.

    I avoid smoke and mirrors security as much as possible.

    more fool you. smoke and mirrors despite its negative security connotations is actually an invaluable security mechanism that is denigrated by those that don't know better. Something as simple as a port change while providing no real security improvement does immediately negate a whole heap of script kiddies and automated tools that instantly pop up when a new exploit is discovered, yes it offers nothing against a targeted attack, but most attacks are NOT specifically targeted, they hunt for easy victims on known common configurations. Every tool that reduces even the most basic of attacks SHOULD be something you value in your arsenal.

  • by cheater512 (783349) <nick@nickstallman.net> on Tuesday February 25, 2014 @01:40AM (#46331669) Homepage

    Erm you do know that SSH broadcasts it's presence as soon as you connect right?

    Try "telnet server.com 22" and you'll see how nice and obvious it is that you've found a SSH server.
    You'll get a nice banner like "SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1"

    The moment the port scan finds it, they know it is SSH.

  • by hweimer (709734) on Tuesday February 25, 2014 @05:40AM (#46332337) Homepage

    As far as I can see, they do not rely on a specific IE vulnerability for inserting the payload, but they rely on a specific (and fixed) Windows vulnerability [mitre.org] to bypass ASLR [wikipedia.org], which is a crucial component of EMET. They claim in a footnote that the "IE flaw could be modified to leak the base address of a DLL in another way", but they do not provide a working exploit that does so.

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray

Working...