Researchers find critical flaw in Microsoft's EMET toolkit


By Dylan Bushell-Embling
Thursday, 25 February, 2016


Researchers find critical flaw in Microsoft's EMET toolkit

Microsoft has issued a patch for its Enhanced Mitigation Experience Toolkit (EMET) after FireEye researchers found a way to use a vulnerability within the tool to force it to shut itself down.

EMET is designed to add additional security capabilities to user-mode programs. It is designed to run inside protected programs and make changes to make exploitation more difficult, increasing the cost of exploit development for the perpetrators.

But FireEye security researchers discovered a vulnerability that enables attackers to disable EMET merely by locating and calling a function that is responsible for unloading the tool.

This is because EMET is designed to load itself as a DLL via Windows API hooks and inject itself into every protected process, giving it the ability to analyse code to determine whether calls to critical APIs are legitimate.

But a there is a portion of the code that is responsible for unloading EMET and returning the program to its default state.

“One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks,” FireEye said.

This technique is reliable and significantly easier than previously published EMET disabling or bypassing techniques, defeating the purpose of the software.

Microsoft’s patch to address the issue is available here.

Related Articles

Accelerating the adoption of passkeys without compromising user experience

We need authentication methods that remove the human element from the equation, and that's...

Modern CISOs must throw out the traditional cybersecurity playbook

The primary imperative for today's CISOs should be to align the security agenda with business...

AI agents: securing the 'artificial workforce'

Just as they would with new employees, security teams will need to define access policies for...


  • All content Copyright © 2025 Westwick-Farrow Pty Ltd