EMET bypassed

http://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328

 

So would you call EMET useless or is it still a good tool?

 

I would say it's still a good tool, it still stops most exploits and I guess the bypass will be fixed in the next version.

 

Just goes to show there is no security measure that is 100% infallible.

 

Please don't warp the definition of useless.

 

Bypassing EMET 4.1

http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/

 

I hope v5.0 is not to0 long away.

 

Guess it'd good I don't use it.

 

how could you stop this then?

 

Wow, it's bypassed again and again. EMET has holes like a Swiss cheese.

 

IMHO, it's still a great idea to use EMET, until the day comes (if ever) when almost all malware is tested against EMET.

 

http://arstechnica.com/security/201...y-bypasses-microsoft-zero-day-protection-app/

 

complete nonsense. Take a look a the things that are widely used but can't work with EMET.
Finding some working bypasses and presenting them (like Bromium guys) is a huge effort for the future development - as it was in the past. That's the game.

 

At least EMET tries to mitigate the actual exploitation, unlike anti-virus products with their anti-exploit features, which only protect against the payloads. Yet the vendors go so far as to claim they even "prevent" exploits. I wonder how easily these guys would bypass anti-virus exploit protection. They'd probably have field day with it.

 

True, but the bypasses in the first post are not the same one as the new ones from Bromium, so the limitations may not apply there:
http://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328

Still, it's best that MS rewrites EMET fully. Afaik the generic limitations were already discussed on these forums long before.

 

Very interesting, thank you.

 

Just in time, EMET 5.0 technical preview:
https://blogs.technet.com/b/srd/arc...et-5-0-technical-preview.aspx?Redirected=true

 

Nice to see that they are right on it.

The quote is from: http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/

I really wonder when we will get to see hypervisor based HIPS, like for example McAfee Deep Defender.

That will be the next step in security tools innovation.

 

See also: Announcing the Enhanced Mitigation Experience Toolkit (EMET) 5.0 Technical Preview
http://blogs.technet.com/b/msrc/arc...ience-toolkit-emet-5-0-technical-preview.aspx