The Channel logo


By | Darren Pauli 24th February 2016 07:38

Hackers use Microsoft security tool to pwn Microsoft security tool

EMET knocks out EMET. And the winner is ... nobody. Except Linux advocates

FireEye security wonks Abdulellah Alsaheel and Raghav Pande have twisted the barrels of Microsoft's lauded EMET Windows defense gun 180 degrees and fired.

Or in other words, they've found a way to disable Redmond's Enhanced Mitigation Experience Toolkit using the Enhanced Mitigation Experience Toolkit. EMET injects anti-malware defenses into applications and traps suspicious behaviors.

Windows 10 has much of EMET's technology baked in save for some newly added features in the latest version 5.5 – which is available now and patched to removed the weaknesses found by Alsaheel and Pande.

The duo say their research targets an area of EMET code that switches off EMET. Once a hacker has code execution inside an application, he or she can call a function within EMET to disable EMET. It's as simple as that.

"The code systematically disables EMET’s protections and returns the program to its previously unprotected state," the pair says.

"One simply needs to locate and call this function to completely disable EMET. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks."

Various historical EMET bypasses have focused on exploiting missing features and implementation flaws to defeat the protection mechanism.

By contrast, Alsaheel's and Pande's hack turns off EMET's protections, all while fitting into a short basic return-oriented programming chain.

"This new technique uses EMET to unload EMET protections," they say. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique." ®

comment icon Read 20 comments on this article or post a comment alert Send corrections


Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral


Locker room jocks photo via Shutterstock
Best locker-room strategy: Avoid emulating AWS directly
STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock