The Channel logo


By | Darren Pauli 24th February 2016 07:38

Hackers use Microsoft security tool to pwn Microsoft security tool

EMET knocks out EMET. And the winner is ... nobody. Except Linux advocates

FireEye security wonks Abdulellah Alsaheel and Raghav Pande have twisted the barrels of Microsoft's lauded EMET Windows defense gun 180 degrees and fired.

Or in other words, they've found a way to disable Redmond's Enhanced Mitigation Experience Toolkit using the Enhanced Mitigation Experience Toolkit. EMET injects anti-malware defenses into applications and traps suspicious behaviors.

Windows 10 has much of EMET's technology baked in save for some newly added features in the latest version 5.5 – which is available now and patched to removed the weaknesses found by Alsaheel and Pande.

The duo say their research targets an area of EMET code that switches off EMET. Once a hacker has code execution inside an application, he or she can call a function within EMET to disable EMET. It's as simple as that.

"The code systematically disables EMET’s protections and returns the program to its previously unprotected state," the pair says.

"One simply needs to locate and call this function to completely disable EMET. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks."

Various historical EMET bypasses have focused on exploiting missing features and implementation flaws to defeat the protection mechanism.

By contrast, Alsaheel's and Pande's hack turns off EMET's protections, all while fitting into a short basic return-oriented programming chain.

"This new technique uses EMET to unload EMET protections," they say. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique." ®

comment icon Read 20 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe