Q
Manage Learn to apply best practices and optimize your operations.

How does the EMET 5.0 vulnerability allow attackers to turn it off?

A vulnerability has been discovered in EMET 5.0 that can be used to turn EMET off. Expert Nick Lewis explains the flaw, and what enterprises can do to maintain security.

I read about a Microsoft EMET 5.0 vulnerability that allowed attackers to turn the tool against itself. What is...

the EMET vulnerability, and how exactly did it work? Besides patching, what should be done to avoid this problem?

Microsoft EMET is a "security tool that adds supplemental security defenses to defend potentially vulnerable legacy and third-party applications." It has functionality for implementing improvements like data execution prevention and address space layout randomization that were included in recent versions of Windows, but are not present in legacy applications or older versions of Windows. It is not a replacement for antimalware software, whitelisting, patching or other security controls, but was designed to raise the cost for an attacker. If an attacker can run code on an endpoint, it is only a matter of time until EMET is bypassed just like antimalware or other tools.

FireEye discovered a vulnerability in EMET 5.0, which affects earlier versions of the tool, that could be used to turn EMET off. EMET needs to include functionality to turn itself off in case it causes problems on the endpoint. This should be carefully controlled so that EMET isn't easily bypassed. FireEye described a new technique for changing a variable in the configuration of EMET 5.0 that turns it off. Microsoft has an updated version available, EMET 5.5, that addresses these vulnerabilities.

Besides patching, which any enterprise using EMET 5.0 should do as part of its standard practices, enterprises should have layer defenses that include standard security tools.

It would have been difficult for Microsoft to avoid this problem and it has done the best it could under the circumstances. Microsoft responded promptly to the vulnerability report, fixd the vulnerability and reviewed its software development practices for EMET 5.0 to determine if the bug could have been prevented. Given the adaptive nature of security researchers and attackers, as soon as one protection is implemented, it will be analyzed to determine any weaknesses. The more significant the improvement, the longer it should take to be analyzed and bypassed, which could buy time for defenders to protect their endpoints.

Next Steps

Learn about the features of Microsoft EMET 5.0

Read how to keep your enterprise safe after Windows Server 2003 end of life

Compare different endpoint antimalware security options

This was last published in July 2016

Dig Deeper on Microsoft Windows security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your organization's experience with Microsoft's EMET?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close