Researchers have discovered a vulnerability in Microsoft's EMET security tool that can be used against the software to shut itself down.
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a free security tool that provides Windows and applications with an extra layer of security. It is designed to make it difficult for hackers to attack both known and unknown vulnerabilities in the operating system, installed programs or plug-ins.
But FireEye discovered a flaw in the technology that allows it to be used against itself, leaving systems vulnerable.
EMET can be used to inject emet.dll or emet64.dll (depending upon the architecture) into every protected process, which installs Windows API hooks (exported functions by DLLs such as kernel32.dll, ntdll.dll, and kernelbase.dll).
These hooks provide EMET the ability to analyse any code calls in critical APIs and determine if they are legitimate. If code is deemed to be legitimate, EMET hooking code jumps back into the requested API. Otherwise it triggers an exception, according to FireEye.
But the problem lies in a portion of code within EMET that is responsible for unloading the product. The code systematically disables EMET's protections and returns the program to its previously unprotected state.
“One simply needs to locate and call this function to completely disable EMET. In EMET.dll v220.127.116.11, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET's installed hooks,” said researchers Abdulellah Alsaheel and Raghav Pande in a blog post.
They said the feature exists because emet.dll contains code for cleanly exiting from a process. Conveniently, it is reachable from DllMain.
"This new technique uses EMET to unload EMET protections," they said. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique."
“If an attacker can bypass EMET with significantly less work, then it defeats EMET's purpose of increasing the cost of exploit development.”
Microsoft has since issued a patch to address this issue in EMET 5.5.