Hackers use Microsoft security tool to pwn Microsoft security tool
EMET knocks out EMET. And the winner is ... nobody. Except Linux advocates
FireEye security wonks Abdulellah Alsaheel and Raghav Pande have twisted the barrels of Microsoft's lauded EMET Windows defense gun 180 degrees and fired.
Or in other words, they've found a way to disable Redmond's Enhanced Mitigation Experience Toolkit using the Enhanced Mitigation Experience Toolkit. EMET injects anti-malware defenses into applications and traps suspicious behaviors.
Windows 10 has much of EMET's technology baked in save for some newly added features in the latest version 5.5 – which is available now and patched to removed the weaknesses found by Alsaheel and Pande.
The duo say their research targets an area of EMET code that switches off EMET. Once a hacker has code execution inside an application, he or she can call a function within EMET to disable EMET. It's as simple as that.
"The code systematically disables EMET’s protections and returns the program to its previously unprotected state," the pair says.
"One simply needs to locate and call this function to completely disable EMET. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks."
By contrast, Alsaheel's and Pande's hack turns off EMET's protections, all while fitting into a short basic return-oriented programming chain.
"This new technique uses EMET to unload EMET protections," they say. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique." ®