I read about a Microsoft EMET 5.0 vulnerability that allowed attackers to turn the tool against itself. What is...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
the EMET vulnerability, and how exactly did it work? Besides patching, what should be done to avoid this problem?
Microsoft EMET is a "security tool that adds supplemental security defenses to defend potentially vulnerable legacy and third-party applications." It has functionality for implementing improvements like data execution prevention and address space layout randomization that were included in recent versions of Windows, but are not present in legacy applications or older versions of Windows. It is not a replacement for antimalware software, whitelisting, patching or other security controls, but was designed to raise the cost for an attacker. If an attacker can run code on an endpoint, it is only a matter of time until EMET is bypassed just like antimalware or other tools.
FireEye discovered a vulnerability in EMET 5.0, which affects earlier versions of the tool, that could be used to turn EMET off. EMET needs to include functionality to turn itself off in case it causes problems on the endpoint. This should be carefully controlled so that EMET isn't easily bypassed. FireEye described a new technique for changing a variable in the configuration of EMET 5.0 that turns it off. Microsoft has an updated version available, EMET 5.5, that addresses these vulnerabilities.
Besides patching, which any enterprise using EMET 5.0 should do as part of its standard practices, enterprises should have layer defenses that include standard security tools.
It would have been difficult for Microsoft to avoid this problem and it has done the best it could under the circumstances. Microsoft responded promptly to the vulnerability report, fixd the vulnerability and reviewed its software development practices for EMET 5.0 to determine if the bug could have been prevented. Given the adaptive nature of security researchers and attackers, as soon as one protection is implemented, it will be analyzed to determine any weaknesses. The more significant the improvement, the longer it should take to be analyzed and bypassed, which could buy time for defenders to protect their endpoints.
Learn about the features of Microsoft EMET 5.0
Read how to keep your enterprise safe after Windows Server 2003 end of life
Compare different endpoint antimalware security options
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.