EMET bypass in Wow64 Windows subsystem
One of the greatest strengths of the Windows operating system is backwards compatibility. Many classic programs from the DOS-age or early-Windows days are still running fine on modern versions of Windows.
Along with the strength comes a weakness, as exploits may target these legacy systems.
Researchers at Duo Security discovered an issue in Microsoft's Enhanced Mitigation Experience Toolkit (EMET) that allows them to bypass the protection it adds to the system by using the WoW64 compatibility layer provided by 64-bit versions of Windows.
WoW, or Windows on Windows, enables 32-bit applications to run on 64-bit machines. While most Windows systems these days are 64-bit machines, many of the programs run on these machines are not.
WoW64 is part of all 64-bit versions of Windows including Windows 7, Windows 8.1 and Windows 10 as well as all server editions of the operating system.
The WoW64 subsystem comprises a lightweight compatibility layer that has similar interfaces on all 64-bit versions of Windows. It aims to create a 32-bit environment that provides the interfaces required to run unmodified 32-bit Windows applications on a 64-bit system.
For web browsers for example the researchers found out, that 80% are still 32-bit processes that execute on the 64-bit host machine, 16% are 32-bit processes executed on 32-bit hosts, and only 4% true 64-bit processes (based on a week-long sample of browser authentication data for unique Windows systems).
One core finding was that EMET mitigations are far less effective under the Wow64 subsystem and that changing that would require major modifications to how EMET works.
The researchers are aware of the fact that EMET mitigations have been disclosed before but most deal with bypassing mitigations individually. Their method on the other hand enables them to bypass all payload/shellcode execution and ROP-related mitigations in a " a generic, application-independent way, using the WoW64 compatibility layer provided in 64-bit editions of Windows".
A research paper is available in PDF format. You may download it from the Duo Security website directly.
You are probably wondering what the take-away is. The researchers suggest to use native 64-bit applications whenever 32-bit and 64-bit versions of a program are available.
The main reason for that is that 64-bit binaries offer security benefits and make "some aspects of exploitation more difficult".
EMET is still recommended by the researchers as it "continues to raise the bar for exploitation" and "is still an important part of a defense-in-depth strategy".
Now You: Do you run EMET or other mitigation software on Windows?
I’m running HitmanPro.Alert hoping its mitigation strength is effective as announced.
I wasn’t at all into the mitigation problematic until the arrival of crypto-ransomware, frightening enough to start wondering on my security protocols and noticing none had the required profile to reply to a crypto-ransomware attack. Hitman.Pro aims to handle this as well as several other mitigation schemes, so I installed it, hoping it will be efficient should I encounter a related attack.
Hitman Pro is an excellent program, like it a lot.
HitmanPro.Alert (above mentioned) together with the well known HitmanPro (anti-malware scanner) make a nice duo and, without aiming to advertise, one same license for both is a plus of course (advanced features compared to the free versions of each).
I too use HitmanPro Alert.
My question would be how to fix it? Besides that use as much as possible x64 I found no workaround on existent x86 processes.
There is no fix. You can run other security software to reduce the chance of malicious code being run on your system though. I think that Sandboxing for instance is a great option in this regard.
OK, thanks for the answer.
Malwarebytes Anti-Exploit is a friendly alternative for those who might find EMET too complex to use.