Topic: Latest EMET Bypass Targets WoW64 Windows Subsystem

[paulsmith55]

Backwards compatibility, a necessary evil for Microsoft in its need to support so many legacy applications on Windows, may be its undoing as researchers have found a way to exploit this layer in the operating system to bypass existing mitigations against memory-based exploits. Specifically in this case, researchers at Duo Security have slid past Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, a suite of more than a dozen freely available mitigations against memory attacks that include ASLR, DEP, Export Address Table Filtering, Heapspray Allocation, and return-oriented programming mitigations.

The soft spot, the researchers said, is the Windows on Windows, or WoW64, Windows subsystem that allows 32-bit software to run on 64-bit Windows machines. A sizeable sample of Duo customers shows some disturbing numbers in terms of vulnerable users. For example, 80 percent of browsers in the researchers’ sample size were 32-bit processes executing on a 64-bit host running WOW64, putting them all at risk. EMET remains a viable protection for Windows users, one that Microsoft has marketed many times as a temporary stopgap between the disclosure of a zero-day vulnerability and the availability of a patch. But in the WoW64 example, EMET can be completely bypassed.

“It’s a classic, recurring problem that we see a lot in Windows where there’s a lot of legacy stuff to support, so you build a feature to facilitate that transition to run older software,” said Darren Kemp, security researcher at Duo Security. “But the side effect is that as the OSes are improving, yes you’re getting more and more security features, but they all maintain this specific compatibility layer and it’s in a path that created some interesting bypass scenarios for various security features like DEP and ASLR. We’re demonstrating that, but with an entirely different mechanism.” Duo said it reached out to Microsoft with its research and exploit, which was acknowledged.

The issue, however, would likely require significant re-architecting of Windows with regard to the support of 32-bit applications on 64-bit systems, which is unlikely. “The subsystem results in some limitations, by design. And those limitations have a negative impact on security software,” Kemp said. “It’s simply a limitation of Windows.

It’s not an inherent vulnerability, but it essentially makes the mitigation ineffective in essentially all cases of 32-bit software running on 64-bit version of Windows.” Kemp and his colleague and senior security researcher Mikhail Davidov modified an existing exploit for a patched Adobe Flash use-after-free vulnerability (CVE-2015-0311) to get past EMET. They explain in a paper released today that 32-bit applications under WoW64 behave unlike they do in 32-bit systems; the processor’s ability to switch between execution modes at runtime opens up a number of exploit options for attackers.

See more at: Latest EMET Bypass Targets WoW64 Windows Subsystem http://wp.me/p3AjUX-tYs

Latest's EMET @ https://technet.microsoft.com/en-us/security/jj653751