Denys Rudyi - Fotolia

Manage Learn to apply best practices and optimize your operations.

How does the EMET 5.0 vulnerability allow attackers to turn it off?

A vulnerability has been discovered in EMET 5.0 that can be used to turn EMET off. Expert Nick Lewis explains the flaw, and what enterprises can do to maintain security.

I read about a Microsoft EMET 5.0 vulnerability that allowed attackers to turn the tool against itself. What is the EMET vulnerability, and how exactly did it work? Besides patching, what should be done to avoid this problem?

Microsoft EMET is a "security tool that adds supplemental security defenses to defend potentially vulnerable legacy and third-party applications." It has functionality for implementing improvements like data execution prevention and address space layout randomization that were included in recent versions of Windows, but are not present in legacy applications or older versions of Windows. It is not a replacement for antimalware software, whitelisting, patching or other security controls, but was designed to raise the cost for an attacker. If an attacker can run code on an endpoint, it is only a matter of time until EMET is bypassed just like antimalware or other tools.

FireEye discovered a vulnerability in EMET 5.0, which affects earlier versions of the tool, that could be used to turn EMET off. EMET needs to include functionality to turn itself off in case it causes problems on the endpoint. This should be carefully controlled so that EMET isn't easily bypassed. FireEye described a new technique for changing a variable in the configuration of EMET 5.0 that turns it off. Microsoft has an updated version available, EMET 5.5, that addresses these vulnerabilities.

Besides patching, which any enterprise using EMET 5.0 should do as part of its standard practices, enterprises should have layer defenses that include standard security tools.

It would have been difficult for Microsoft to avoid this problem and it has done the best it could under the circumstances. Microsoft responded promptly to the vulnerability report, fixd the vulnerability and reviewed its software development practices for EMET 5.0 to determine if the bug could have been prevented. Given the adaptive nature of security researchers and attackers, as soon as one protection is implemented, it will be analyzed to determine any weaknesses. The more significant the improvement, the longer it should take to be analyzed and bypassed, which could buy time for defenders to protect their endpoints.

Next Steps

Learn about the features of Microsoft EMET 5.0

Read how to keep your enterprise safe after Windows Server 2003 end of life

Compare different endpoint antimalware security options

This was last published in July 2016

Dig Deeper on Microsoft Windows security