Tuesday, October 28, 2014

Microsoft EMET - Armor against zero-days bypassed again | Conference Slides

New methods make it possible to circumvent protection mechanisms of Microsoft EMET 5.0

The EMET (Enhanced Mitigation Experience Toolkit) tool developed by Microsoft makes it possible for administrators and end users to retroactively equip applications with additional protection mechanisms. This enhanced protection is intended to prevent various attack techniques that are currently used by cyber attackers.

Security expert René Freingruber of the SEC Consult Vulnerability Lab has developed numerous methods to get around the basic protection mechanisms of EMET in all currently available versions. If a cyber-attacker were to use these new bypass methods, serious attacks could be carried out. A software product protected with EMET as a workaround affected by a critical zero-day vulnerability could, for example, fall under the control of attackers.

Microsoft was informed of this by SEC Consult and is working on an improvement to the protection methods.

The experts of the SEC Consult Vulnerability Lab advise you to not view EMET as an unbeatable protection measure, because the tool can definitely be bypassed with the help of newly discovered methods.

SEC Consult considers it as necessary for software manufacturers to make the development of applications more secure and to regularly test their software extensively for application security.



Demo video


Slides

Detailed slides from previous conferences, where the research has been presented by René Freingruber, are available here:

RuxCon, 11-12 October 2014



ToorCon, 25-26 October 2014


ZeroNights, 13-14 November, 2014

NorthSec 21-24 May, 2015

media ccc




Microsoft Blogpost