Attackers can turn Microsoft's exploit defense tool EMET against itself

Exploits can trigger a specific function in EMET that disables all protections it enforces for other applications

Hackers can easily disable the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a free tool used by companies to strengthen their Windows computers and applications against publicly known and unknown software exploits.

Researchers from security vendor FireEye have found a method through which exploits can unload EMET-enforced protections by leveraging a legitimate function in the tool itself.

Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. However, it's likely that many users haven't upgraded yet, because the new version mainly adds compatibility with Windows 10 and doesn't bring any new significant mitigations.

First released in 2009, EMET can enforce modern exploit mitigation mechanisms like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or Export Address Table Access Filtering (EAF) to applications, especially legacy ones, that were built without them. This makes it much harder for attackers to exploit vulnerabilities in those applications in order to compromise computers.

Security researchers have found various ways to bypass particular EMET-enforced mitigations over the years, but they were primarily the result of design and implementation errors, like some modules or APIs being left unprotected. Methods to disable EMET protections completely have also been reported in the past, but they were not always straight-forward and required significant effort.

The FireEye researchers believe that their new technique, which essentially uses EMET against itself, is more reliable and easier to use than any previously published bypasses. Furthermore, it works against all supported versions of EMET -- 5.0, 5.1 and 5.2 -- with the exception of EMET 5.5, and also on versions that are no longer supported, like 4.1.

EMET injects some DLLs (Dynamic Link Libraries) into third-party application processes that it's configured to protect. This allows it to monitor calls from those processes to critical system APIs and to determine if they are legitimate or the result of an exploit.

However, the tool also contains code that is responsible for unloading mitigations in a clean way, returning the protected processes to their initial state without causing malfunctions or crashes. It's this feature that the FireEye researchers have figured out how to trigger from an exploit.

"One simply needs to locate and call this function to completely disable EMET," they said in a blog post Tuesday. "In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET's installed hooks."

This is a significant new attack vector that's easier to use than bypassing each of EMET's individual protections as they were designed, they said.

Since this technique is now public, EMET users should consider upgrading to version 5.5 as soon as possible to avoid future attacks that might adopt it. In addition to Windows 10 compatibility, this new EMET version improves the configuration and management of protections through Group Policy and improves the performance for the EAF and EAF+ mitigations.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?