Researchers bypass protections in Microsoft's EMET anti-exploitation tool

The tool can't protect against determined attackers with customized exploits, researchers from Bromium claim

By Lucian Constantin, IDG News Service |  Endpoint Security

That version of the utility might also include some of the fixes recommended by the Bromium researchers. However, even if that happens, there's a deeper problem that prevents EMET from being a truly effective at stopping exploits -- the fact that it runs from user space and not at the kernel level.

"Many of the weaknesses are generic in nature and unlikely to be sufficiently addressed by userland protection technologies like EMET," the Bromium researchers said in their paper.

"The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection," DeMott said. "This is true of EMET and other similar userland protections. That's because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there's no 'higher' ground advantage as there would be from a kernel or hypervisor protection."

Microsoft acknowledges in EMET's documentation that the tool blocks common exploitation techniques, but does not guarantee that vulnerabilities cannot be exploited. According to the EMET mitigation guidelines, the mitigations in EMET work as additional obstacles that an exploit author would have defeat in order to exploit vulnerabilities, so the goal of these obstacles is to make exploitation as difficult as possible to perform.

The real question is not whether EMET can be bypassed, but whether it sufficiently raises the cost of exploitation, the Bromium researchers said in their paper. "The answer to that is likely dependent upon the value of the data being protected. For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits."

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness