Windows 10: Attackers can turn Microsoft exploit defense tool EMET against itself

Read more: Attackers can turn Microsoft's exploit defense tool EMET against itself | PCWorld

:)

 

Does EMET perform well ?

No...having EMET is not really necessary.

• How is MBAE different from Enhanced Mitigation Experience Toolkit (EMET)?

Further, some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of

Return-oriented programming (ROP)

and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running.

ROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing.

Address Space Layout Randomization (ASLR)

is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts. Many advanced exploits relay on
ROP and ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory
corruption exploits. Tools with ROP and ASLR protection such as
Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).

• The State of Return Oriented Programming in Contemporary Exploits
• An Analysis of Address Space Layout Randomization
• Anti-exploitation features explained

This is a quote from
Fabian Wosar, a Security Colleague and developer who works for Emsisoft...from

HMP.Alert & MBAE, Post #7

"EMET, HMP.Alert and MBAE can all be useful under certain circumstances. The most effective step to fending of exploits is to reduce your attack surface. Keep the software you use up-to-date and try to get rid of Java and Adobe plugins. If you can't get
rid of them completely, at least turn them on only for the sites that you know won't work without them. All browsers that I have used in the past year have features which makes it very easy to limit plugins to just a few sites. If for some reason you can't
do either of that, then adding exploit protection can be somewhat useful."

 

How crypto ransomware spreads... is it decryptable...should I pay the ransom

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a

comprehensive approach. Make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, use supplemental security tools with

anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, close/disable

Remote Desktop Protocol (RDP) if you do not need it and routinely
backup your data...then disconnect the external drive when the backup is completed. If you must use RDP, the best way to secure it is to either whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, only allow
RDP from local traffic, setup a VPN to the firewall and
enforce strong password policies, especially on any admin accounts or those with RDP privileges.

• How to Protect and Harden a Computer against Ransomware
• How To Lock Down So Ransomware Doesn't Lock You Out
• SANS Enterprise Survival Guide for Ransomware Attacks
• How to Strengthen Enterprise Defenses against Ransomware
• How Businesses Can Best Defend Against Ransomware Attacks
• 11 things home users can do to protect against ransomware
• Use an Anti-Exploit Program to Help Protect Your PC From Zero-Day Attacks

You should also rely on
behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather
than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software. Some anti-virus and anti-malware programs include built-in
anti-exploitation protection.

As with most ransomware...your best defense is back up, back up, back up and the best solution for dealing with encrypted data is to restore from backups.
Backing up data and

disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

• The smartest way to stay unaffected by ransomware? Backup!

QUOTE from
How do I decrypt files encrypted by ransomware?

"...Prevention before the fact is the only guaranteed peace of mind on this one."

Ransomware Prevention Tools:

• Malwarebytes 3.0 with Anti-Exploit & Anti-Ransomware
• Kaspersky Anti-Ransomware Tool for Business
• CryptoPrevent -
  
  CryptoPrevent FAQs
• Cybereason Ransomfree
• CryptoDrop
• HitmanPro.Alert with CryptoGuard
• MBRFilter -
  
  Using MBRFilter against Ransomware that modifiy the Master Boot Record
• Bitdefender Anti-Ransomware
• McAfee Real Protect Beta
• WinAntiRansom PLUS -
  
  WinAntiRansom Documentation
• Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
• Symantec's NoScript or
  
  AnalogX Script Defender
• List of Anti-Ransomware Software & Comparison

Keep in mind that some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can

Return-oriented programming (ROP), and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause
interference with each other and program crashes

Quote from
Use an Anti-Exploit Program to Help Protect Your PC From Zero-Day Attacks

"While you should use an antivirus (even just the Windows Defender tool built into Windows 10, 8.1, and 8) as well as an anti-exploit program, you shouldn’t use multiple anti-exploit programs...These types of tools could potentially interfere with each
other in ways that cause applications to crash or just be unprotected, too."

 

I wonder if this would also be something to consider for use on personal as well as business systems as an additional protection measure? It does show that someone will always be trying to break something MS puts out!

 

Thank you for the news.
So now (w10 user here ) the vulnerability is fixed?
Thank you

 

My reading of the info is that if you run the latest version of EMET, you are not subject to the reported vulnerability. That latest version is numbered 5.5, and you can download it from the Microsoft Download Center.

EMET has been available for free from MS for some time now. It is recommended for use on all modern Windows clients as a best practice by the MS in-house Security team, and by many third-party experts including Larry Seltzer and Ed Skoudis (both well-known Windows security and malware experts).

I've been running it on my clients since the early part of this decade (I first blogged about it in September 2012) and it hasn't posed any stability or behavior problems or caused any appreciable performance issues that I've noticed.

HTH,
--Ed--

 

Malwarebytes | Anti-Exploit Premium - Premium Zero-Day Exploit Protection *Biggrin