Researchers announce they have bypassed Microsoft's EMET

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) has been bypassed by a group of researchers at the Bromium Labs security firm, which means that hackers could also potentially learn how to circumvent the program in an attempt to install malware.

EMET is supposed to help with stopping malware and exploits on Windows PCs that have yet to be patched by Microsoft. However, the report from Bromium Labs claims they were able to bypass all of the protections that Microsoft has put into EMET 4.1, the most recent version of the program.

The researchers state that before they made their findings public, they informed Microsoft of their EMET discoveries, along with recommendations on how to fix at least some of the application's security holes. The group added, "They’ve even offered to recognize us in the next (5.0) release of EMET. Thx!"

Ironically, HP has set up a $150,000 prize for anyone who can gain root access to EMET on Windows 8.1 running IE11 as part of their annual Pwn2Own hacking contest that will be held in mid-March. We contacted Bromium Labs via Twitter to see if they plan to enter the contest and claim the prize and got this response:

Update: Microsoft has released a technical preview version of EMET 5.0 today.

Source: Bromium Labs via Ars Technica | Images via Microsoft and Bromium Labs

Report a problem with article
Previous Story

Microsoft could take on Google's YouTube with proposed Dailymotion partnership

Next Story

Windows XP startup chime recreated by a robot xylophone, creates nostalgia

17 Comments

Commenting is disabled on this article.

i had to remove EMET as it cause some weird stuff going on in my browser once it was on,
first tab would be fine.. then any other tab opening a HTTPS connection would just hang.. so i could get to say Facebook on Tab1 but not on any other tabs.

I could even get to my BANKS secure page.. then i would have to kill the browser for it to again start to work.

I didnt really spend anytime untick the different checkboxes. Even an uninstall didnt really get the PC back to it working order.. and ended up doing a system restore..

i may checkout v5 when it out. but for now, not very impressed by 4.1

Sounds more like installing EMET broke all those viruses hiding in your browser. I guess though as long as you don't notice the key logger stealing the password to your bank account.

what so even windows update is a virus then also? or system restore...

pretty much EMET was the issue.. and im sure per some of the examples had certain checkboxes unchecked that this would be the case for the browse i was using.

it even says some options needs to be uncheck for that APP to work.

kazgor said,
what so even windows update is a virus then also? or system restore...

pretty much EMET was the issue.. and im sure per some of the examples had certain checkboxes unchecked that this would be the case for the browse i was using.

it even says some options needs to be uncheck for that APP to work.

So you didn't follow the instructions and that is EMETs fault? LOL.

xankazo said,
So, I have to install this? Why doesn't Microsoft ship it by default?

because some protections provided by EMET are making incompatible applications crash, including some popular browser plugins.

some of the protections included in EMET may be part of future versions of Windows and IE, if the number of incompatible browser plugins and applications is not too high.

it's a great thing MS provides these protections in EMET, because any system administrator or home user can benefit from them immediately, rather than having to wait years for a newer version of Windows or IE.

For those who still don't know what EMET is exactly, I wrote a little article a few days ago to explain how it can easily improve your computer security, even if you don't use IE:

http://www.julien-manici.com/b...et-Explorer-Firefox-Chrome/

the bypass discussed here doesn't change anything to the merits of EMET. It's not meant to provide perfect security, it's meant to make 0day very hard to exploit (and less likely to be exploited).

so go ahead, and download EMET4.1 (or, if you're willing to take some risks, try EMET5 beta).

even if you stay on EMET4.1, there is a setting called "deep hooks" that is disabled by default and if enabled, should prevent that bypass from working.

(on EMET5, "deep hooks" is enabled by default)

Thanks! Is it just as useful on a fully patched Win7/8 machine? How resource intensive is it? Do you have an article about suggested settings for Windows and popular apps/plugins, or are the defaults sufficient?

Romero said,
Thanks! Is it just as useful on a fully patched Win7/8 machine?

yes, EMET is designed to help prevent future 0 day flaws from being exploited on a fully patched machine.

if you never apply security updates on your machine, EMET doesn't provide any magical protection.


How resource intensive is it?

EMET doesn't work like an antivirus, so it won't slow down disk accesses.

EMET has no visible impact on performance.



Do you have an article about suggested settings for Windows and popular apps/plugins, or are the defaults sufficient?

as I wrote in my article:
The default protection profile protects common Microsoft applications and common 3rd party enterprise applications. You should import the "Popular Software" protection profile to protect non-Microsoft browsers and applications with EMET. From the EMET Configuration tool, click "Import", then load the "Popular Software.xml" protection profile which adds protection to applications such as Google Chrome, Firefox, VLC, ...

Excellent! We need more white hats like these making responsible disclosures, and companies responding ASAP to fix the problems and push out fixes.

link8506 said,

... EMET introduces a new protection that will prevent JAVA to run in IE in the internet zone, while letting it run from the intranet zone.

Yes! Yes! Yes!

DonC said,

Yes! Yes! Yes!

yeah it's gonna be popular among system administrators.

however the default configuration is a bit excessive, as it is blocking JAVA, VML, and Flash Player.

there is a registry setting to modify if you want to let Flash Player run in the internet zone while blocking just Java and VML.

Doesn't EMET always come with a warning that basically said "This only stops the dumbest hackers, don't count on this for total security?"