Denys Rudyi - Fotolia
I read about a Microsoft EMET 5.0 vulnerability that allowed attackers to turn the tool against itself. What is the EMET vulnerability, and how exactly did it work? Besides patching, what should be done to avoid this problem?
Microsoft EMET is a "security tool that adds supplemental security defenses to defend potentially vulnerable legacy and third-party applications." It has functionality for implementing improvements like data execution prevention and address space layout randomization that were included in recent versions of Windows, but are not present in legacy applications or older versions of Windows. It is not a replacement for antimalware software, whitelisting, patching or other security controls, but was designed to raise the cost for an attacker. If an attacker can run code on an endpoint, it is only a matter of time until EMET is bypassed just like antimalware or other tools.
FireEye discovered a vulnerability in EMET 5.0, which affects earlier versions of the tool, that could be used to turn EMET off. EMET needs to include functionality to turn itself off in case it causes problems on the endpoint. This should be carefully controlled so that EMET isn't easily bypassed. FireEye described a new technique for changing a variable in the configuration of EMET 5.0 that turns it off. Microsoft has an updated version available, EMET 5.5, that addresses these vulnerabilities.
Besides patching, which any enterprise using EMET 5.0 should do as part of its standard practices, enterprises should have layer defenses that include standard security tools.
It would have been difficult for Microsoft to avoid this problem and it has done the best it could under the circumstances. Microsoft responded promptly to the vulnerability report, fixd the vulnerability and reviewed its software development practices for EMET 5.0 to determine if the bug could have been prevented. Given the adaptive nature of security researchers and attackers, as soon as one protection is implemented, it will be analyzed to determine any weaknesses. The more significant the improvement, the longer it should take to be analyzed and bypassed, which could buy time for defenders to protect their endpoints.
Learn about the features of Microsoft EMET 5.0
Read how to keep your enterprise safe after Windows Server 2003 end of life
Compare different endpoint antimalware security options
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading