I read about a Microsoft EMET 5.0 vulnerability that allowed attackers to turn the tool against itself. What is...
the EMET vulnerability, and how exactly did it work? Besides patching, what should be done to avoid this problem?
Microsoft EMET is a "security tool that adds supplemental security defenses to defend potentially vulnerable legacy and third-party applications." It has functionality for implementing improvements like data execution prevention and address space layout randomization that were included in recent versions of Windows, but are not present in legacy applications or older versions of Windows. It is not a replacement for antimalware software, whitelisting, patching or other security controls, but was designed to raise the cost for an attacker. If an attacker can run code on an endpoint, it is only a matter of time until EMET is bypassed just like antimalware or other tools.
FireEye discovered a vulnerability in EMET 5.0, which affects earlier versions of the tool, that could be used to turn EMET off. EMET needs to include functionality to turn itself off in case it causes problems on the endpoint. This should be carefully controlled so that EMET isn't easily bypassed. FireEye described a new technique for changing a variable in the configuration of EMET 5.0 that turns it off. Microsoft has an updated version available, EMET 5.5, that addresses these vulnerabilities.
Besides patching, which any enterprise using EMET 5.0 should do as part of its standard practices, enterprises should have layer defenses that include standard security tools.
It would have been difficult for Microsoft to avoid this problem and it has done the best it could under the circumstances. Microsoft responded promptly to the vulnerability report, fixd the vulnerability and reviewed its software development practices for EMET 5.0 to determine if the bug could have been prevented. Given the adaptive nature of security researchers and attackers, as soon as one protection is implemented, it will be analyzed to determine any weaknesses. The more significant the improvement, the longer it should take to be analyzed and bypassed, which could buy time for defenders to protect their endpoints.
Learn about the features of Microsoft EMET 5.0
Read how to keep your enterprise safe after Windows Server 2003 end of life
Compare different endpoint antimalware security options
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Bitdefender discovered that the NotPetya malware changes its behavior when Kaspersky security products are detected. Nick Lewis explains how the ...continue reading
The Katyusha Scanner is based on the open source penetration test scanner Arachni. However, it has been modified to work through Telegram accounts. ...continue reading
A Libgcrypt vulnerability could allow attackers to recover private RSA-1024 keys, as it allows a left-to-right sliding window that shows how specific...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.