Microsoft defence tool bypassed

Microsoft's lauded exploit security tool has been completely bypassed, opening avenues for hackers to compromise Windows machines.

The Enhanced Mitigation Experience Toolkit (EMET) introduced defences that made development of zero day exploits against older Windows platforms more difficult.

Research by Bromium Labs has demonstrated in a proof-of-concept exploit how EMET's safeguards such as stack pivot protection, return-oriented programming (ROP) defence and export address table access filtering can be defeated.

These tactics could be used by targeted, talented and dedicated attackers to target vulnerabilities in third party applications.

It createa far more of a thorn for Microsoft than typical application vulnerabilities that cab be patched, because the weaknesses pertained to the fact that EMET and many other user security defences operated in the same space as malicious code. 

" ... [It] can typically be bypassed since there's no 'higher' ground advantage as there would be from a kernel or hypervisor protection," security researcher Jared DeMott wrote in a post.

"... we found ways to bypass all of the protections in EMET."

DeMott said in a research paper each EMET rule checked for a certain behaviour indicative of attacks. If hackers could use behaviours that EMET didn't recognise to break into systems, the tool could be bypassed.

DeMott and his team demonstrated the bypass with an 18 month old bug (CVE-2012-4969) in Internet Explorer that was packaged into the Metasploit penetration testing toolkit. While the latest version (4.1) of EMET blocked the hack via a stack pivot check, the researcher found all 12 protections could be bypassed using his new methods.

Facets of older versions of EMET had been previously bypassed, most recently with researcher Aaron Portnoy bypassing parts of version 4.0 at Nordic Security Conference last year.

DeMott's research, revealed at BSides during RSA San Francisco, was the first to slip past every part of EMET running on a 32-bit version of Windows 7.

Users shouldn't uninstall EMET, however. Microsoft points out that the platform still elevates the defensive complexities of Windows platforms such as XP, Vista and 7 (most of its security measures were built into 8), which means most lower-level threats would be repelled.

DeMott noted that use of ROP techniques has been "rampant" of late by hackers aiming to bypass defences such as address space layout randomisation and data execution prevention. Most zero-day malware found in the past 12 months used ROP techniques, he wrote.

"We hope this study helps the broader community understand the facts when making a decision about which protections to use," he said.

Hackers will in March attempt to gain root on 64-bit Windows 8.1 boxes running EMET 4.1 and Internet Explorer 11 in the hope of scoring the $150,000 prize on offer in the annual Pwn2Own contest in Canada.