Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Disarm Microsoft's EMET

timothy posted about a month ago | from the slipping-through dept.

Microsoft 33

wiredmikey (1824622) writes "Security researchers have found a way to disable the protection systems provided by the latest version of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a software tool designed to prevent vulnerabilities from being exploited by using various mitigation technologies. Others have managed to bypass EMET in the past, but researchers from Offensive Security have focused on disarming EMET, rather than on bypassing mitigations, as this method gives an attacker the ability use generic shellcodes such as the ones generated by Metasploit. The researchers managed to disarm EMET and get a shell after finding a global variable in the .data section of the EMET.dll file. Initially, they only managed to get a shell by executing the exploit with a debugger attached, due to EMET's EAF checks. However, they've succeeded in getting a shell outside the debugger after disarming EAF with a method described by security researcher Piotr Bania in January 2012. The researchers tested their findings on Windows 7, Internet Explorer 8 and EMET 4.1 update 1."

cancel ×

33 comments

Sorry! There are no comments related to the filter you selected.

Let's face it ... (-1)

Anonymous Coward | about a month ago | (#47379107)

Either Microsoft is inherently incompetent at security, or security is just too damned hard and we should all give up and go back to devices which aren't connected.

Because Microsoft so far has an abysmal record of security.

Re:Let's face it ... (3, Insightful)

Anonymous Coward | about a month ago | (#47379245)

There is also the devil's advocate here: Every black hat, criminal organization, and national intel department is focusing on Microsoft's stuff with a passion, because a 0-day that is big enough could mean billions of revenue from extortion, blackmail, or just malicious mischief.

Before Microsoft was the leader, people said the same exact stuff about Sun. They whined that Solaris had too many holes, talked about how slow the fixes came out, and so on.

Microsoft has a lot of bad guys hunting them down every second of every day. Well heeled bad guys.

I'm amazed that they don't get nailed more often with 0-days with all the pressure the bad guys can bring to bear.

Re:Let's face it ... (-1)

Anonymous Coward | about a month ago | (#47379359)

...I'm amazed that they don't get nailed more often with 0-days with all the pressure the bad guys can bring to bear.

I'm amazed that they don't spend a bit and fix their shitty OS.

Re:Let's face it ... (0)

Anonymous Coward | about a month ago | (#47380101)

It might cost too much. Maybe even 10 million dollars. Can't have the CEOs doing without a new private jet this year.

Re:Let's face it ... (1)

FatdogHaiku (978357) | about a month ago | (#47379365)

I'm no lawyer but I feel certain that if you manage to get billions out of an exploit the words "malicious mischief" will not appear in the indictment...
At the very least I would expect "felonious tomfoolery"!

Re:Let's face it ... (2)

Ol Olsoc (1175323) | about a month ago | (#47381453)

I'm no lawyer but I feel certain that if you manage to get billions out of an exploit the words "malicious mischief" will not appear in the indictment... At the very least I would expect "felonious tomfoolery"!

My God man! There are women and children present! Break out the smelling salts.

Re:Let's face it ... (1)

FatdogHaiku (978357) | about three weeks ago | (#47395123)

I'm no lawyer but I feel certain that if you manage to get billions out of an exploit the words "malicious mischief" will not appear in the indictment... At the very least I would expect "felonious tomfoolery"!

My God man! There are women and children present! Break out the smelling salts.

That's why I didn't go with "assiduous asshatterie".

0-day? (0)

justthinkit (954982) | about a month ago | (#47379711)

0-day? How about a 900-day? Jan, 2012 was about 900 days ago.

Re: Let's face it ... (1)

Neliton Streppel (3731131) | about a month ago | (#47380501)

Emetic.

Re:Let's face it ... (1)

RyuuzakiTetsuya (195424) | about a month ago | (#47379341)

I want more details here. I generally have a disdain for Microsoft but here it seems they built a custom target to exploit.

If they did this against say, IE or some other app in the wild, sure lets ask if we should pack it up. Until then...

Re:Let's face it ... (2)

GIL_Dude (850471) | about a month ago | (#47379477)

Well the first step in exploiting IE or other apps on a system in the wild is to bypass EMET. Remember, EMET is a mitigation technology designed to make it harder to exploit a vulnerability in IE, Flash, Acrobat Reader, etc. by adding extra protections. So if you are able to turn EMET off, you can then get back to your normal exploit.

Re:Let's face it ... (2)

simplypeachy (706253) | about a month ago | (#47380429)

Trying to get Flash to fall under all of EMET's protections is like trying to hit three moving targets. As soon as Flash gets updated, the executables it uses run under different file names and any specific mitigations are then lost. Thankfully, most applications that are easy meat for EMET's good work are a one-off config.

Re:Let's face it ... (1)

KevMar (471257) | about three weeks ago | (#47395555)

Your missing the point. If you have administrator rights, why even bother disabling EMET. Just uninstall it. Here is a quick exploit code for that:

Get-WmiObject Win32_Product | Where-Object{$_.Name -match "EMET"} | ForEach-Object{$_.Uninstall()}

If the attacker has admin rights then game over. Any other exploit after that is just smoke and mirrors.

Please do not disarm Microsofts EMET! (2)

jtoj (537440) | about a month ago | (#47379237)

Here in Brazil Emet is a bitter medicine, that stops you from throwing up.
Researchers Disarm Microsoft's EMET : tha did scare me a lot!

Re:Please do not disarm Microsofts EMET! (0)

Anonymous Coward | about a month ago | (#47381815)

The second amendment to the constitution guarantees that so such disarmament can be done in the US.

OK, I'll bite (1)

TechyImmigrant (175943) | about a month ago | (#47379247)

>managed to disarm EMET and get a shell after finding a global variable in the .data section

What is wrong with storing variables in the data section? Isn't that where you're supposed to keep data?

Re:OK, I'll bite (2)

zlives (2009072) | about a month ago | (#47379399)

also some one running 4.1 of emet... probably isn't running ie8 wonder why the used ie8.

Re:OK, I'll bite (1)

viperidaenz (2515578) | about a month ago | (#47379451)

Perhaps because IE8 is the browser that comes with Windows 7?

Re:OK, I'll bite (2)

zlives (2009072) | about a month ago | (#47379483)

umm by that logic they wouldn't need to worry about bypassing emet... since it doesn't come with win7

Re:OK, I'll bite (2)

viperidaenz (2515578) | about a month ago | (#47380509)

They were not testing IE8. They were testing EMET. They used IE8 as the entry point because it has a known vulnerability that EMET is supposed to mitigate.
They could probably use any software with an exploit that enables remote code execution.

Re:OK, I'll bite (1)

CaptainDork (3678879) | about a month ago | (#47379795)

Yeah, I wondered about that, too.

Seriously? IE8?

I had to dump IE8, 9 and 10 at work because some sites objected.

I had banks and e-file systems people tell me to just get Firefox, please.

Re:OK, I'll bite (0)

Anonymous Coward | about a month ago | (#47379961)

As an IT professional who deals with customers on a regular basis, I can personally attest to helping switch innocent, miss-guided people to the path of GTFO IE.

attack surface (0)

Anonymous Coward | about a month ago | (#47379279)

What does “static” mean in a C program? [stackoverflow.com] (yes, I know the DLL/SO conventions are different; same concept.)

Now go clean up your code kiddies, and after you've got that taken care of, figure out how to randomize memory offsets so they can't just guess hard enough to get it anyhow. Hint: none of this — None. Of. This. — should be sitting around in easily analysed (un)initialized data segments, at the very least.

Did they cross out the E? (3, Funny)

kruach aum (1934852) | about a month ago | (#47379283)

Torah joke.

Re:Did they cross out the E? (1)

sgtsquid (1372843) | about a month ago | (#47379349)

Torah joke.

They got lazy and didn't erase it completely, so the system just ran amok.

Is this surprising? (0)

Anonymous Coward | about a month ago | (#47379747)

I mean, just look at MS's track record in security. Either they don't know or they don't care.

Re:Is this surprising? (0)

CaptainDork (3678879) | about a month ago | (#47379819)

They know. They don't care.

Neither does the consumer, apparently.

The entire computing industry from top to bottom, hardware to software, and IT shops, needs to be lashed by the whip of litigation.

Similar to how we got sprinklers at work.

Re:Is this surprising? (0)

Anonymous Coward | about a month ago | (#47379889)

No, we don't want that. You know what we will get? Hardware enforced DRM stacks, smart cards that have to be to be inserted before we get Internet access, DLC, (if you want a file manager, pay $20, a cmd.exe, $100, PowerShell, $50.)

We won't get anything that helps us. Instead, the muzzles of the litigation would be trained at us, with more RIAA-like copyright violation penalties, civil penalties, and criminal sentences (the private industry's appetite for inmates is insatiable.)

Any laws or lawsuits will make it worse. It will force F/OSS to the sidelines (hint, the biggest reason I find as an obstacle to using anything but Windows is that there is a requirement for Common Criteria and FIPS compliance to pass Sarbanes-Oxley, PCI-DSS3, and HIPAA audits.) Lawsuits will mean a guarantee that Windows will be the only game in town.

but then IT pros go union and get licenses so they (1)

Joe_Dragon (2206452) | about a month ago | (#47380095)

but then IT pros go union and get licenses so they can't be pushed around by MBA's and PHB's to do stuff in an cheap and non secure ways..

Other side of this airtight hatchway... (4, Informative)

Kaenneth (82978) | about a month ago | (#47380007)

If you are able to arbitrarily modify system .DLLs, aren't you already in the system?

Sounds an awful lot like today's Old New Thing post: http://blogs.msdn.com/b/oldnew... [msdn.com]

Re:Other side of this airtight hatchway... (2)

Kaenneth (82978) | about a month ago | (#47380211)

OK, replying to myself, after doing more reading.

I guess the software under attack is designed to stop limited exploits from becoming big ones, and it's referring to the image in the .DLL in it's loaded into memory state, not on disk.

I'd describe it as like knowing how to use a coathanger to unlock a car door.

Other side of this airtight hatchway... (0)

Anonymous Coward | about a month ago | (#47381353)

The technique patches the DLL in-memory directly from the exploit, not the DLL on the disk.

Like humanitarian sciences (1)

GlowingCat (2459788) | about a month ago | (#47381805)

All these abbreviations are technically like humanitarian sciences. Far, far away from CPU's instruction execution.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>