EMET Exploit FireEye

Security researcher/expert FireEye has revealed that hackers are capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), with large-scale attacks breaching the security barriers on Redmond’s tool which is designed to stop software attacks.

Microsoft EMET is designed to locate and stop malicious behavior by placing anti-malware protocols into applications. FireEye researcher, as reported in ComputerWorld, have seen exploits in both Silverlight and Flash Player. These exploits are designed to be able to bypass EMET and have now been added to the popular Angler exploit kit.

You may remember FireEye warning of EMET vulnerabilities in February. At the time, the security firm said that it was possible to shut down EMET from within its own code if the hacker could access it. This latest exploit is unrelated, but it highlights worrying security holes in Microsoft’s protection tool, with the new attack able to bypass mitigations like Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus (EAF+).

The fact the exploit has found its way into the Angler exploit kit is also worrying, considering it is one of the most popular attack tools. FireEye says the Angler exploit to bypass EMET is already advanced;

The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion. These exploits do not utilize the usual return oriented programming to evade DEP. Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory.

Needless to say, the time when EMET is used as a last line of defence for older apps has gone, so individuals and companies need to either update browser plugins or have more security measures in place.

Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible,” the FireEye researchers said. “Because the Web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface.