Security

WoW! Want to beat Microsoft's Windows security defenses? Poke some 32-bit software

Compatibility tool 'hampers EMET anti-malware protections'

Two chaps claim to have discovered how to trivially circumvent Microsoft's Enhanced Mitigation Experience Toolkit (EMET) using Redmond's own compatibility tools.

A report [PDF] by the duo at Duo Security describes how the Windows on Windows (WoW64) environment can be abused to bypass builtin security tools.

WoW64 allows 32-bit applications to run on 64-bit Windows installations. At its core, it works by trapping system calls made by code running in 32-bit mode, and jumping to 64-bit long mode before letting Windows handle the call. By taking advantage of the mode changes, we're told, it is possible to smuggle malicious code past EMET's barriers, which ordinarily do a good job of blocking vulnerability exploits.

Of course, to pull this off, one must find and exploit a security hole in a piece of 32-bit software that's running on a 64-bit system using WoW64.

Duo's Darren Kemp and Mikhail Davidov reckon a ton of 32-bit web browsers run in WoW64 mode on Windows PCs, though.

"Based on a sample of one week’s worth of browser authentication data for unique Windows systems, we found that 80 per cent of browsers were 32-bit processes executing on a 64-bit host system (running under WoW64), 16 per cent were 32-bit processes executing on 32-bit hosts, while the remaining 4 per cent were true 64-bit processes," their report reads.

"As you can see, based on this data, WoW64 is the most popular execution environment for Windows browsers," Kemp added in a blog post on Monday.

"While much of public vulnerability research focuses on pure 32-bit app exploitation, the fact is, a significant portion of 32-bit software is now running on 64-bit operating systems."

According to Kemp and Davidov, far calls using either x86 segment 0x23 or 0x33 can be used to begin skirting EMET's defenses, ultimately leading to the infiltration of a target system. The pair say they were able to "modify an existing use-after-free Adobe Flash exploit" to bypass EMET and execute arbitrary malicious code.

Kemp said a definitive fix for the WoW64 flaw could be some time off, as patching the condition would be difficult.

"It appears that due to these limitations, enhancing EMET to overcome them is likely a non-trivial effort," the pair noted in their report.

The researchers suggested that companies could mitigate some of the risk by encouraging the use of native 64-bit applications that, in addition to being protected from the WoW64 attack, also have additional security guards in place on Windows.

They also suggested that, even with its limitations, EMET remains a valuable security tool for Windows and should still be used.

"This paper is not meant to undermine the importance of having EMET deployed within an organization, but to highlight shortcomings within the current implementation," Kemp said. "We are providing this information in the interest of helping defenders deploy EMET with the most effective strategies in mind." ®

Sponsored: The world has changed, has your IAM strategy?