Slashdot Mirror
Researchers Disarm Microsoft's EMET
wiredmikey (1824622) writes "Security researchers have found a way to disable the protection systems provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a software tool designed to prevent vulnerabilities from being exploited by using various mitigation technologies. Others have managed to bypass EMET in the past, but researchers from Offensive Security have focused on disarming EMET, rather than on bypassing mitigations, as this method gives an attacker the ability use generic shellcodes such as the ones generated by Metasploit. The researchers managed to disarm EMET and get a shell after finding a global variable in the .data section of the EMET.dll file. Initially, they only managed to get a shell by executing the exploit with a debugger attached, due to EMET's EAF checks. However, they've succeeded in getting a shell outside the debugger after disarming EAF with a method described by security researcher Piotr Bania in January 2012. The researchers tested their findings on Windows 7, Internet Explorer 8 and EMET 4.1 update 1."
Here in Brazil Emet is a bitter medicine, that stops you from throwing up.
Researchers Disarm Microsoft's EMET : tha did scare me a lot!
Jose T Oliveira Jr.
There is also the devil's advocate here: Every black hat, criminal organization, and national intel department is focusing on Microsoft's stuff with a passion, because a 0-day that is big enough could mean billions of revenue from extortion, blackmail, or just malicious mischief.
Before Microsoft was the leader, people said the same exact stuff about Sun. They whined that Solaris had too many holes, talked about how slow the fixes came out, and so on.
Microsoft has a lot of bad guys hunting them down every second of every day. Well heeled bad guys.
I'm amazed that they don't get nailed more often with 0-days with all the pressure the bad guys can bring to bear.
Torah joke.
also some one running 4.1 of emet... probably isn't running ie8 wonder why the used ie8.
Well the first step in exploiting IE or other apps on a system in the wild is to bypass EMET. Remember, EMET is a mitigation technology designed to make it harder to exploit a vulnerability in IE, Flash, Acrobat Reader, etc. by adding extra protections. So if you are able to turn EMET off, you can then get back to your normal exploit.
umm by that logic they wouldn't need to worry about bypassing emet... since it doesn't come with win7
If you are able to arbitrarily modify system .DLLs, aren't you already in the system?
Sounds an awful lot like today's Old New Thing post: http://blogs.msdn.com/b/oldnew...
Trying to get Flash to fall under all of EMET's protections is like trying to hit three moving targets. As soon as Flash gets updated, the executables it uses run under different file names and any specific mitigations are then lost. Thankfully, most applications that are easy meat for EMET's good work are a one-off config.
They were not testing IE8. They were testing EMET. They used IE8 as the entry point because it has a known vulnerability that EMET is supposed to mitigate.
They could probably use any software with an exploit that enables remote code execution.
I'm no lawyer but I feel certain that if you manage to get billions out of an exploit the words "malicious mischief" will not appear in the indictment... At the very least I would expect "felonious tomfoolery"!
My God man! There are women and children present! Break out the smelling salts.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.