FireEye security wonks Abdulellah Alsaheel and Raghav Pande have twisted the barrels of Microsoft's lauded EMET Windows defense gun 180 degrees and fired.
Or in other words, they've found a way to disable Redmond's Enhanced Mitigation Experience Toolkit using the Enhanced Mitigation Experience Toolkit. EMET injects anti-malware defenses into applications and traps suspicious behaviors.
More ReadingMcAfee gaffe a quick AV kill for enterprising staffChrome 49 goes live as Google pays bug mercs $51k to patch 26 holesCisco stitches default root creds for switchesRumor: IBM gobbles Bruce Schneier, Resilient for $100mCanberra passes USO review to Productivity Commission, tells the economists to hasten slowly
Windows 10 has much of EMET's technology baked in save for some newly added features in the latest version 5.5 – which is available now and patched to removed the weaknesses found by Alsaheel and Pande.
The duo say their research targets an area of EMET code that switches off EMET. Once a hacker has code execution inside an application, he or she can call a function within EMET to disable EMET. It's as simple as that.
"The code systematically disables EMET’s protections and returns the program to its previously unprotected state," the pair says.
"One simply needs to locate and call this function to completely disable EMET. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks."
By contrast, Alsaheel's and Pande's hack turns off EMET's protections, all while fitting into a short basic return-oriented programming chain.
"This new technique uses EMET to unload EMET protections," they say. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique." ®