Microsoft EMET vulnerability turns tool against itself

Roundup: Microsoft EMET is vulnerable to exploit; it's time to update to v5.5.Plus; Dell, IBM and Gemalto research reports claim cybercriminals are getting smarter, bigger and faster.

When Microsoft upgraded its Enhanced Mitigation Experience Toolkit, or EMET, earlier this month, the software giant...

touted the fact that version 5.5 added support for Windows 10, as well as various other improvements and mitigations. But this week, researchers reported a key vulnerability in earlier versions of Microsoft EMET, which allowed attackers to turn the free antimalware tool against itself.

The vulnerability gives attackers an easy way to use "a portion of code within EMET that is responsible for unloading EMET" to disable EMET entirely, according to a new report from Abdulellah Alsaheel and Raghav Pande, security researchers at FireEye Inc., based in Milpitas, Calif.

According to the FireEye report, Microsoft EMET "adds security mitigations to user-mode programs beyond those built in to the operating system." By running "inside 'protected' programs as a Dynamic Link Library (DLL)," EMET makes exploitation of some memory-related exploits more difficult.

The researchers worked with Microsoft to patch EMET, which was issued earlier this month, but the vulnerability can be exploited in currently supported versions older than EMET 5.5 -- 5.0, 5.1 and 5.2 -- as well as in all older, unsupported versions. Microsoft described the mitigation of this vulnerability in its update as "EAF/EAF+ pseudo-mitigation performance improvements." Export Address Table Filtering protects against attacks that attempt to read DLL export tables.

Microsoft EMET was never intended to be a complete solution to malware, but rather as a way of putting higher barriers in the way of malware writers. According to Microsoft, EMET is intended to "detect and block exploitation techniques that are commonly used to exploit memory corruption vulnerabilities."

"EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques," Microsoft wrote. And EMET is able to protect against some zero-day vulnerabilities by making them harder to exploit.

However, "if an attacker can bypass EMET with significantly less work, then it defeats EMET's purpose of increasing the cost of exploit development," the FireEye researchers wrote. They also described a fairly simple exploit of the vulnerability that takes advantage of the portion of code in EMET, which unloads EMET after it has determined a piece of software is safe.

Vulnerabilities and exploits that either bypass or disable EMET have been seen both in research and attacks in several versions, including in 2014, when Bromium found a way to bypass EMET 4.1

Just how bad was 2015 for cybercrime?

This week saw the release of new research reports about cybercrime in the past year, and the news isn't great.

First, according to the IBM X-Force Threat Intelligence Report 2016, attackers appear to be getting more organized and sophisticated, with the single biggest reason for the escalation being "the increasing involvement and investment of full-blown criminal organizations in digital crime, and the resulting increase in numbers of well-orchestrated operations, such as Carbanak."

"These gangs operate much like businesses, leveraging connections, employing collaboration and deploying teams for different tasks," according to the IBM X-Force report.

Meanwhile, the 2016 Dell Security Annual Threat Report reported four key findings from its research in 2015, starting with the continuing evolution of exploit kits "to stay one step ahead of security systems, with greater speed, heightened stealth and novel shapeshifting abilities." No. 2: Web traffic "encryption continued to surge, leading to under-the-radar hacks affecting at least 900 million users in 2015."

Dell also reported Android malware continued to grow throughout the year, with increases in Android ransomware attacks, improvements in detection evasion by malware writers and financial apps being a particularly appealing target for attackers.

Finally, attacks are way up in 2015, compared with 2014, according to Dell's research. "Malware attacks nearly doubled to 8.19 billion; popular malware families continued to morph from season to season and differed across geographic regions," the report claimed.

Also this week, Amsterdam-based security firm Gemalto released findings from its Breach Level Index. The vendor reported there were 1,673 data breaches globally, leading to 707 million data records being compromised last year.

"In 2014, consumers may have been concerned about having their credit card numbers stolen, but there are built-in protections to limit the financial risks," said John Hart, vice president and CTO at Gemalto. "However, in 2015, criminals shifted to attacks on personal information and identity theft, which are much harder to remediate once they are stolen."

Gemalto also reported government sector breaches, which accounted for 43% of compromised data records, were "up 476% from 2014 due to several very large data breaches in the United States and Turkey," and those breaches comprised 16% of all data breaches.

The healthcare sector was also hit hard in 2015, with 19% of all records compromised and 23% of all data breaches. Meanwhile, the Gemalto report also claimed "the retail sector saw a major drop (93%) in the number of stolen data records, compared to the same period last year, accounting for just 6% of stolen records and 10% of the total number of breaches in 2015."

In other news:

  • Google and a group of global mobile telecommunications operators this week jointly announced a mobile industry initiative to accelerate the availability of Rich Communications Services. RCS is a more feature-rich specification for messaging than SMS, and Google plans to add RCS messaging to its Android mobile operating system. RCS delivers features such as group chat, photo sharing and read receipts to mobile messaging applications, similar to those offered in "over the top" messaging applications available through services like Skype, Facebook and others that bypass mobile firms' text messaging services.
  • The proposed Dell-EMC deal rolls on, as a waiting period required by U.S. antitrust legislation expired this week. Dell's acquisition of EMC is still subject to regulatory approval in the European Union and China, as well as approval by EMC and VMware shareholders. The deal is expected to close later this year. Questions still remain over how the deal will impact the information security business of both firms. EMC purchased RSA Security in 2006, and Dell has expanded its security portfolio in recent years as well.
  • Donna Seymour, embattled CIO for the Office of Personnel Management, announced her retirement just two days before she was scheduled to testify -- again -- before the House Committee on Oversight and Government Reform, according to a report from USA Today. Seymour testified last summer before the House Oversight Committee hearing on the OPM breach.

Next Steps

Find out how Microsoft's Device Guard can help protect Windows 10 from malware.

Learn how Windows 10 addresses some long-standing Windows vulnerabilities.

Read about how to watch out for vulnerabilities in Linux.

Dig Deeper on Windows Security: Alerts, Updates and Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Related Discussions

Peter Loshin asks:

How do you use Microsoft's Enhanced Mitigation Experience Toolkit in your organization?

0  Responses So Far

Join the Discussion

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close