Security researchers have found a new exploit affecting Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). The breach has since been amended by a patch released on February 2, but there are concerns that a large proportion of users might have opted out of this update as a result of its focus on minor compatibility tweaks.
EMET is a utility that’s meant to prevent exploits being used, which of course makes these findings all the more impactful. It seems that hackers have found a way to remove the protections being offered up by the tool by using one of its own legitimate functions, according to a report from PC World.
The utility serves to implement security techniques like Address Space Layout Randomization and Data Execution Prevention to individual applications, which is particularly important for legacy software that was created without access to these processes. Given that this exploit can disable EMET completely, rather than targeting individual techniques, it’s a rather flexible tool for those with criminal intentions.
Crucially, it’s understood that the exploit is capable of targeting three supported versions of EMET — 5.0, 5.1 and 5.2 — as well as outdated iterations like 4.1. The patch distributed earlier this month renders users who are running 5.5 safe, and it’s strongly recommended that others install the update as soon as possible.
The exploit itself takes advantage of a portion of code within EMET that unloads the tool whenever deemed necessary, disabling the protections it offers up. Hackers just need to locate and call this function to do so whenever it is convenient for their purposes.
A blog post published by FireEye, the organization that uncovered the exploit, notes that EMET was conceived as a method of raising the cost of exploit development by complicating the process. As such, it’s of little surprise that criminals are eager to remove it from the equation.
While the breach has now been taken care of, it still represents a liability so long as there are users out there using versions of EMET other than 5.5. However, according to FireEye’s Abdulellah Alsaheel and Raghav Pande, this issue is still cause for concern.
“This bypass was first addressed with the EMET 5.5 beta back in October 2015, however an EMET 5.5 bypass now exists as well,” wrote the pair in email correspondence with Digital Trends. “It is possible that an exploit author could add these bypasses to an existing exploit within just a few days.
“Completely aside from these, there exists an in-the-wild exploit which uses different tactics altogether to evade EMET, that works on all versions of EMET — even 5.5 — so there should always be some level of concern that a malicious entity could be exploiting something.”