Attackers Can Turn Microsoft's Exploit Defense Tool EMET Against Itself (csoonline.com)

← Back to Stories (view on slashdot.org)

Attackers Can Turn Microsoft's Exploit Defense Tool EMET Against Itself (csoonline.com)

Posted by timothy on Wednesday February 24, 2016 @02:22AM from the friends-like-these dept.

itwbennett writes: FireEye researchers have found a way for exploits to trigger a specific function in EMET that disables all protections it enforces for other applications. The researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. It works against all supported versions of EMET — 5.0, 5.1 and 5.2 — but Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. So if you haven't upgraded yet, now would be a good time to do it. For more about how the technique works, read FireEye's blog post.

40 comments

Min score:

Reason:

Sort:

The summary should describe EMET. by Anonymous Coward · 2016-02-24 02:33 · Score: 0, Troll

The summary should say what exactly this EMET thing is. We should never have to google for such info. We tend to use Linux here, so we know what systemd is, but we don't know what EMET is.
Editing? by Anonymous Coward · 2016-02-24 02:34 · Score: 0

Works in all supported version of EMET - except for the one that has been out for 22 days.
Not sure the editors here know what "supported" or "all" means.
Good name by Anonymous Coward · 2016-02-24 02:39 · Score: 1

For just about everything that comes from Microsoft really is like an emetic.
Monty Pythonesque by Virtucon · 2016-02-24 02:40 · Score: 2

The tool that prevents hacking has been hacked...

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Re:Monty Pythonesque by Anonymous Coward · 2016-02-24 02:45 · Score: 0
  
  Only on an old, unpatched version.
2. Re:Monty Pythonesque by Ravaldy · 2016-02-24 05:16 · Score: 1
  
  What other option was there. The anti hack tool is there to safeguard the apps, next step is breaking through it and they figured it out. Luckily there's a fix.
  This is why software maintenance subscriptions make sense but that doesn't justify they're high cost in most cases.
3. Re:Monty Pythonesque by Anonymous Coward · 2016-02-24 20:03 · Score: 0
  
  the tool that prevents exploits offers a free exploit!
HUGE patch download! by DoofusOfDeath · 2016-02-24 02:49 · Score: 3, Funny

For the convenience of Microsoft's customers, the patch for the EMET exploit will also provide a FREE upgrade to Windows 10!
1. Re:HUGE patch download! by Virtucon · 2016-02-24 03:00 · Score: 3, Funny
  
  with ask.com as your default home page and chrome as your browser? Win!
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
2. Re:HUGE patch download! by Anonymous Coward · 2016-02-24 04:16 · Score: 1
  
  with ask.com as your default home page and chrome as your browser? Win!
  Except with Microsoft, you won't have a choice!
Irrelevant by Anonymous Coward · 2016-02-24 03:00 · Score: 0

If Microsoft doesn't bundle EMET with Windows, then it's probably not a good security tool. This is a non-story.
WTF, Microsoft? by EndlessNameless · 2016-02-24 03:12 · Score: 5, Insightful

EMET is a baseline requirement if you are focused at all on security.
As with any security measure, it can cause issues with applications. Because of this, sane people are conservative in deploying new versions.
The notes on the EMET 5.5 release and download pages mention this vulnerability nowhere.
A critical flaw in a security tool is a very important thing to know about. This information should be prominent and obvious.
I even checked the user guide in case it is buried somewhere, and there is not a hint of security-related bugfixes in there either.

--

---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
1. Re:WTF, Microsoft? by joshki · 2016-02-24 03:25 · Score: 1
  
  posting to undo accidental moderation.
  
  --
  I do not read or respond to AC's. If you want a discussion, log in. Otherwise, don't waste your time.
2. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 03:33 · Score: 0
  
  Exactly. Other posters in this thread seem to think the 5.5 update resolves this but it don't.
  No one that actually cares about security runs vanilla Windows or Linux or Mac anyway.
3. Re:WTF, Microsoft? by Gr8Apes · 2016-02-24 03:35 · Score: 1, Interesting
  
  The whack-a-mole game of insecurity with MS goes on....
  Q: How do you secure a windows system?
  A: Install another vendor's OS.
  
  --
  The cesspool just got a check and balance.
4. Re: WTF, Microsoft? by Anonymous Coward · 2016-02-24 03:36 · Score: 0
  
  Can somebody explain what exactly EMET is? The awful summary should have done that, but didn't. We shouldn't have to search for the answer on our own, either.
5. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 03:41 · Score: 1
  
  The notes on the EMET 5.5 release and download pages mention this vulnerability nowhere.
  It hasn't even been 24 hours since the blog post. I get jumping all over Microsoft for security issues, but I think letting the vendor have a I dunno... A DAY TO LOOK AT THE INFO seems fair.
  Or are you all over linux security problems with the same zeal. Mint, glibc, etc?
6. Re:WTF, Microsoft? by gstoddart · 2016-02-24 03:46 · Score: 2, Insightful
  
  Because of this, sane people are conservative in deploying new versions.
  Yeah, well, the problem with "new versions" of anything from Microsoft these days is they go to great lengths to not tell you what updates actually contain ... they all just say "this fixes issues with Windows", don't highlight that "well, we're really installing telemetry and other shit to force you to Windows 10". You have to go to great pains to find out what an update actually contains (for instance you can't read anything on their site without being redirected through live.com and other crap).
  Trusting Microsoft to be honest and forthright with what they're doing these days is increasingly more difficult ... so you'll pardon me if them not fessing up to the issue doesn't come as a surprise.
  Microsoft has more or less decided they don't give a crap about consumers, and they're going to do whatever they choose. Hopefully they start to realize just how much they're pissing off users these days.
  
  --
  Lost at C:>. Found at C.
7. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 04:09 · Score: 0
  
  I've come to the conclusion that most users are masochists.
8. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 04:14 · Score: 1
  
  They did backpedal on this and start giving patch notes again.
  http://venturebeat.com/2016/02/09/microsoft-starts-publicly-sharing-windows-10-release-notes/
  http://windows.microsoft.com/en-us/windows-10/update-history-windows-10
9. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 04:41 · Score: 0
  
  You're so right. Every time I run sudo apt-get update, there are precisely zero patches waiting for me. This is because I use a superior OS that never needs patching. Take that, evil Microsoft !!
10. Re: WTF, Microsoft? by LeGarcia · 2016-02-24 04:41 · Score: 0
  
  https://en.wikipedia.org/wiki/...
11. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 04:56 · Score: 0
  
  Because of this, sane people are conservative in deploying new versions.
  Yeah, well, the problem with "new versions" of anything from Microsoft these days is they go to great lengths to not tell you what updates actually contain ... they all just say "this fixes issues with Windows", don't highlight that "well, we're really installing telemetry and other shit to force you to Windows 10". You have to go to great pains to find out what an update actually contains (for instance you can't read anything on their site without being redirected through live.com and other crap).
  Trusting Microsoft to be honest and forthright with what they're doing these days is increasingly more difficult ... so you'll pardon me if them not fessing up to the issue doesn't come as a surprise.
  Microsoft has more or less decided they don't give a crap about consumers, and they're going to do whatever they choose. Hopefully they start to realize just how much they're pissing off users these days.
  I'm hoping that EMET is made by one of the good divisions of Microsoft. There used to be good divisions of Microsoft, like the division that kept Access fairly decent while the rest of Office looked like a testbed for short-sighted ideas. Maybe the team that makes EMET is decent.
  I haven't seen EMET go off due to a Web vulnerability yet. Does it happen? Its primary purpose seems be to make Internet Explorer load so slowly that nobody would ever want to use it. That, of course, is a Good Thing.
12. Re:WTF, Microsoft? by Ravaldy · 2016-02-24 06:07 · Score: 1
  
  You sir are fitting to work as help desk for the rest of your life. In case you didn't notice yet, one size does not fit all. If you can figured that out then you have a fighting chance at becoming a good technology advisor which will open up many doors.
13. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 06:13 · Score: 0
  
  It's also the linked articles, not merely some slashdotter, who asserted that the EMET 5.5 does not have this vulnerability.
  As for it being in the patch notes:
  
  EMET 5.5 release includes new functionality and updates, including:
  Windows 10 compatibility
  Improved configuration of various mitigations via GPO
  Improved writing of the mitigations to the registry, making it easier to leverage existing tools to manage EMET mitigations via GPO
  EAF/EAF+ perf improvements
  Untrusted font mitigation for Windows 10
  This is explicitly not a comprehensive list, so I am curious where anyone found something to claim that certain fixes were not in the update.
14. Re:WTF, Microsoft? by Gr8Apes · 2016-02-24 06:45 · Score: 1
  
  You sir are fitting to work as help desk for the rest of your life. In case you didn't notice yet, one size does not fit all. If you can figured that out then you have a fighting chance at becoming a good technology advisor which will open up many doors.
  You may have just won a space on my journal page with that sanctimonious quote. It took me 10 minutes to recover enough from laughing just to post this reply.
  
  --
  The cesspool just got a check and balance.
15. Re:WTF, Microsoft? by Ravaldy · 2016-02-24 07:06 · Score: 1
  
  Happy I could help.
16. Re: WTF, Microsoft? by Anonymous Coward · 2016-02-24 07:36 · Score: 0
  
  How about, a download? (ducks)
17. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 08:27 · Score: 0
  
  Running a BSD or Linux on your server is a baseline requirement if you are focused at all on security.
  It is impossible to secure a Windows machine other than trying to prevent attacks at the network level using a firewall.
18. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 08:44 · Score: 0
  
  . Because of this, sane people are conservative in deploying new versions.
  Conservative doesn't have to mean slow. All it really means that deployment is sane in the sense of Liskov substitution principle and tested to the best of our abilities and resources.
19. Re:WTF, Microsoft? by Anonymous Coward · 2016-02-24 09:03 · Score: 0
  
  It can go on the wall of your helpdesk department cube.
20. Re:WTF, Microsoft? by AHuxley · 2016-02-24 10:50 · Score: 1
  
  Re 'There used to be good divisions of Microsoft" are the marketing people making sure gpu's, OS and computer games work.
  Enjoy the computer game OS and consider more secure options for all other computer related tasks.
  
  --
  Domestic spying is now "Benign Information Gathering"
All you have to do is delete the first 'E'... by QilessQi · 2016-02-24 03:30 · Score: 1

...then "EMET" becomes "MET".
https://en.wikipedia.org/wiki/...

--
Koans and fables for the software engineer
Re:i ejaculated into my stuffed tiger's anus by Anonymous Coward · 2016-02-24 03:53 · Score: 0

Shut up, Calvin.
Firefox, Notepad++, Outlook... EMET shuts it down by Anonymous Coward · 2016-02-24 06:33 · Score: 0

in my company install of EMET 5.2. I uninstalled it, only to find my company would push it down again the next day. Next time I uninstalled it, created a Program Files x86\EMET 5.2 folder and denied the Administrators group access to it. Now I can read work emails again. Unsure if that constitutes a good thing...
Mod parent UP. by Anonymous Coward · 2016-02-24 08:11 · Score: 0

Some foolish person modded the parent comment down. No one knows everything about technology.

Article summary: EMET is another example of sloppy coding from Microsoft.
Re:Firefox, Notepad++, Outlook... EMET shuts it do by sexconker · 2016-02-24 11:57 · Score: 1

Tell them to disable EAF+ for Firefox.
Not sure about Notepad++.
EMET kills Outlook when Outlook opens up malicious email. You can either disable EMET for Outlook or you can risk getting #REKT.
Re:Firefox, Notepad++, Outlook... EMET shuts it do by Anonymous Coward · 2016-02-24 15:31 · Score: 0

The real-time protection system of some anti-virus products is not compatible with EAF mitigation with any software. Use any compatibility settings of the real-time protection of the anti-virus package, or request the disabling of the EMET EAF setting for all software from the company policy.