Forgot your password?
typodupeerror
Microsoft Security Windows

Researchers Disarm Microsoft's EMET 33

Posted by timothy
from the slipping-through dept.
wiredmikey (1824622) writes "Security researchers have found a way to disable the protection systems provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a software tool designed to prevent vulnerabilities from being exploited by using various mitigation technologies. Others have managed to bypass EMET in the past, but researchers from Offensive Security have focused on disarming EMET, rather than on bypassing mitigations, as this method gives an attacker the ability use generic shellcodes such as the ones generated by Metasploit. The researchers managed to disarm EMET and get a shell after finding a global variable in the .data section of the EMET.dll file. Initially, they only managed to get a shell by executing the exploit with a debugger attached, due to EMET's EAF checks. However, they've succeeded in getting a shell outside the debugger after disarming EAF with a method described by security researcher Piotr Bania in January 2012. The researchers tested their findings on Windows 7, Internet Explorer 8 and EMET 4.1 update 1."
This discussion has been archived. No new comments can be posted.

Researchers Disarm Microsoft's EMET

Comments Filter:
  • Here in Brazil Emet is a bitter medicine, that stops you from throwing up.
    Researchers Disarm Microsoft's EMET : tha did scare me a lot!
  • >managed to disarm EMET and get a shell after finding a global variable in the .data section

    What is wrong with storing variables in the data section? Isn't that where you're supposed to keep data?

    • by zlives (2009072)

      also some one running 4.1 of emet... probably isn't running ie8 wonder why the used ie8.

      • Perhaps because IE8 is the browser that comes with Windows 7?

        • by zlives (2009072)

          umm by that logic they wouldn't need to worry about bypassing emet... since it doesn't come with win7

          • They were not testing IE8. They were testing EMET. They used IE8 as the entry point because it has a known vulnerability that EMET is supposed to mitigate.
            They could probably use any software with an exploit that enables remote code execution.

      • Yeah, I wondered about that, too.

        Seriously? IE8?

        I had to dump IE8, 9 and 10 at work because some sites objected.

        I had banks and e-file systems people tell me to just get Firefox, please.

  • by kruach aum (1934852) on Thursday July 03, 2014 @04:02PM (#47379283)

    Torah joke.

  • by Kaenneth (82978) on Thursday July 03, 2014 @05:51PM (#47380007) Homepage Journal

    If you are able to arbitrarily modify system .DLLs, aren't you already in the system?

    Sounds an awful lot like today's Old New Thing post: http://blogs.msdn.com/b/oldnew... [msdn.com]

    • by Kaenneth (82978)

      OK, replying to myself, after doing more reading.

      I guess the software under attack is designed to stop limited exploits from becoming big ones, and it's referring to the image in the .DLL in it's loaded into memory state, not on disk.

      I'd describe it as like knowing how to use a coathanger to unlock a car door.

  • All these abbreviations are technically like humanitarian sciences. Far, far away from CPU's instruction execution.

It is impossible to travel faster than light, and certainly not desirable, as one's hat keeps blowing off. -- Woody Allen

Working...