Researchers recently uncovered a method for completely bypassing all of the protections built into Microsoft's free Enhanced Mitigation Experience Toolkit, but despite the crack in EMET's armor, experts still believe the toolkit can be a valuable shield for enterprises using Windows.
Rahul Kashyapchief security architect, Bromium
The EMET security tool applies a number of Windows-based protections, most notably address space layout randomization and data execution prevention, to third-party applications. The tool is often touted by Microsoft as a way to temporarily mitigate zero-day exploits.
However, at the B-Sides San Francisco conference last week, researchers from Cupertino, Calif.-based security vendor Bromium claimed they were able to bypass EMET's defenses, raising questions about the effectiveness of the tool.
Rahul Kashyap, chief security architect and head of research at Bromium, said the company's EMET research focused on, among other weaknesses, use-after-free memory corruption issues, which can potentially be leveraged by an attacker to launch exploits. In a research paper, Bromium researchers detailed how they were able to craft an exploit based on an old Internet Explorer use-after-free vulnerability that bypassed all of the EMET security protections.
Researchers had previously discovered partial bypasses to sidestep individual EMET protections, but never a complete bypass in the vein of Bromium's discovery. Kashyap noted that the bypass shows fundamental weaknesses in tools like EMET, which operates on the basis of discovering known exploits.
Such weaknesses, he said, will only become more prevalent as attackers utilize more unknown techniques going forward. Still, Kashyap admitted that the complexity of the exploit utilized by Bromium was hardly trivial, meaning that it's unclear how quickly more EMET bypasses may be discovered.
Bromium worked with Microsoft to fix this particular issue in the upcoming EMET 5.0 update, which the software giant released in beta form at RSA Conference 2014. Version 5.0 also promises to deliver attack surface reduction and plug-in protection, which could, according to Kashyap, prevent the execution of malicious Java payloads.
EMET can continue to deliver value for enterprise security teams, Kashyap said, as long they understand the toolkit's place in an overall defense-in-depth strategy. In particular, he said that companies with mature security programs should look to technologies that isolate threats, in addition to EMET and other endpoint tools that focus on detecting and blocking attacks.
"EMET certainly raises the bar for exploitation, and don't forget this is a free tool coming from Microsoft. This research doesn't make EMET useless or pointless," Kashyap said. "If you are trying to protect something which is important, you need to have a much more well-thought-out defensive strategy, and you can't just use a tool like EMET for that."
Wei Chen, an exploit developer for Rapid7's popular Metasploit framework, agreed with Kashyap that EMET 5.0 should make it harder for attackers to write successful Windows-based exploits, but that will only prove true if enterprises widely deploy the tool.
Despite being free and available for nearly five years, Chen said that many organizations have yet to deploy EMET, for a variety reasons. Some have simply never heard of the toolkit, he opined, while others may be scared off by the potential application compatibility issues. For example, Microsoft's own Skype application will not work while EMET is active unless Export Address Table Access Filtering is disabled.
Chen said that many attackers aren't writing exploits with thought given to bypassing EMET, though a recently discovered zero day targeting IE versions 9 and 10 reportedly would not deploy if the EMET DLL was detected on a machine. Despite writing exploits as part of his job, Chen said he's never been asked to take EMET detection into consideration.
Chen also noted that EMET should only be viewed as a technology that blocks common software exploitation techniques, not as a security cure-all. If a Windows end user downloads untrusted files, clicks on shady links or reuses passwords, attackers simply won't care whether EMET is on a system, according to Chen, because they'll simply find easier ways to compromise a network.
If used properly, though, EMET can be a vital security tool that helps block zero days and other exploits.
"I think Microsoft has been doing a pretty good job at raising the cost of exploitation by making it harder, but not perfect, as Bromium pointed out," Chen said. "As a user, you'd be a fool not to use EMET."