EMET bypass in Wow64 Windows subsystem

Martin Brinkmann
Nov 5, 2015
Security
|
8

One of the greatest strengths of the Windows operating system is backwards compatibility. Many classic programs from the DOS-age or early-Windows days are still running fine on modern versions of Windows.

Along with the strength comes a weakness, as exploits may target these legacy systems.

Researchers at Duo Security discovered an issue in Microsoft's Enhanced Mitigation Experience Toolkit (EMET) that allows them to bypass the protection it adds to the system by using the WoW64 compatibility layer provided by 64-bit versions of Windows.

WoW, or Windows on Windows, enables 32-bit applications to run on 64-bit machines. While most Windows systems these days are 64-bit machines, many of the programs run on these machines are not.

WoW64 is part of all 64-bit versions of Windows including Windows 7, Windows 8.1 and Windows 10 as well as all server editions of the operating system.

The WoW64 subsystem comprises a lightweight compatibility layer that has similar interfaces on all 64-bit versions of Windows. It aims to create a 32-bit environment that provides the interfaces required to run unmodified 32-bit Windows applications on a 64-bit system.

For web browsers for example the researchers found out, that 80% are still 32-bit processes that execute on the 64-bit host machine, 16% are 32-bit processes executed on 32-bit hosts, and only 4% true 64-bit processes (based on a week-long sample of browser authentication data for unique Windows systems).

One core finding was that EMET mitigations are far less effective under the Wow64 subsystem and that changing that would require major modifications to how EMET works.

The researchers are aware of the fact that EMET mitigations have been disclosed before but most deal with bypassing mitigations individually. Their method on the other hand enables them to bypass all payload/shellcode execution and ROP-related mitigations in a " a generic, application-independent way, using the WoW64 compatibility layer provided in 64-bit editions of Windows".

A research paper is available in PDF format. You may download it from the Duo Security website directly.

You are probably wondering what the take-away is. The researchers suggest to use native 64-bit applications whenever 32-bit and 64-bit versions of a program are available.

The main reason for that is that 64-bit binaries offer security benefits and make "some aspects of exploitation more difficult".

EMET is still recommended by the researchers as it "continues to raise the bar for exploitation" and "is still an important part of a defense-in-depth strategy".

Now You: Do you run EMET or other mitigation software on Windows?

Summary
Article Name
EMET bypass in Wow64 Windows subsystem
Description
Security researchers have discovered a method to bypass EMET protections on Windows.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. anon said on November 5, 2015 at 8:26 pm
    Reply

    Malwarebytes Anti-Exploit is a friendly alternative for those who might find EMET too complex to use.

  2. CHEF-KOCH said on November 5, 2015 at 7:55 pm
    Reply

    OK, thanks for the answer.

  3. CHEF-KOCH said on November 5, 2015 at 7:15 pm
    Reply

    My question would be how to fix it? Besides that use as much as possible x64 I found no workaround on existent x86 processes.

    1. Martin Brinkmann said on November 5, 2015 at 7:50 pm
      Reply

      There is no fix. You can run other security software to reduce the chance of malicious code being run on your system though. I think that Sandboxing for instance is a great option in this regard.

  4. Tom Hawack said on November 5, 2015 at 6:58 pm
    Reply

    I’m running HitmanPro.Alert hoping its mitigation strength is effective as announced.
    I wasn’t at all into the mitigation problematic until the arrival of crypto-ransomware, frightening enough to start wondering on my security protocols and noticing none had the required profile to reply to a crypto-ransomware attack. Hitman.Pro aims to handle this as well as several other mitigation schemes, so I installed it, hoping it will be efficient should I encounter a related attack.

    1. ilev said on November 6, 2015 at 7:52 am
      Reply

      I too use HitmanPro Alert.

    2. Martin Brinkmann said on November 5, 2015 at 7:50 pm
      Reply

      Hitman Pro is an excellent program, like it a lot.

      1. Tom Hawack said on November 5, 2015 at 8:50 pm
        Reply

        HitmanPro.Alert (above mentioned) together with the well known HitmanPro (anti-malware scanner) make a nice duo and, without aiming to advertise, one same license for both is a plus of course (advanced features compared to the free versions of each).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.