Researchers find critical flaw in Microsoft's EMET toolkit

Microsoft has issued a patch for its Enhanced Mitigation Experience Toolkit (EMET) after FireEye researchers found a way to use a vulnerability within the tool to force it to shut itself down.

EMET is designed to add additional security capabilities to user-mode programs. It is designed to run inside protected programs and make changes to make exploitation more difficult, increasing the cost of exploit development for the perpetrators.

But FireEye security researchers discovered a vulnerability that enables attackers to disable EMET merely by locating and calling a function that is responsible for unloading the tool.

This is because EMET is designed to load itself as a DLL via Windows API hooks and inject itself into every protected process, giving it the ability to analyse code to determine whether calls to critical APIs are legitimate.

But a there is a portion of the code that is responsible for unloading EMET and returning the program to its default state.

“One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks,” FireEye said.

This technique is reliable and significantly easier than previously published EMET disabling or bypassing techniques, defeating the purpose of the software.

Microsoft’s patch to address the issue is available here.