Microsoft Windows subsystem vulnerable to EMET bypass

Microsoft WoW64 can be bypassed in just one step.
Microsoft WoW64 can be bypassed in just one step.

Microsoft's past success selling software to the masses may end up being its toughest problem going forward as some of this legacy software is now exploitable even though it is supposedly protected, researchers at Duo Labs determined.

Duo Labs' security researchers Darren Kemp and Mikhail Davidov issued a report named WoW64 and So Can You centered on the limitations of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) when applied to protecting the Windows on Windows 64 subsystem, which allows 32-bit software to run on a 64-bit operating system.

“Microsoft provides backwards-compatibility for 32-bit software on 64-bit editions of Windows through the “Windows on Windows” (WoW) layer. Aspects of the WoW implementation provide interesting avenues for attackers to complicate dynamic analysis, binary unpacking, and to bypass exploit mitigations,” wrote Kemp and Davidov in the paper.

The researchers said they were able to get around the EMET, which is designed to protect older software from memory attacks. While this has been done before, this time the researchers demonstrated how to bypass the EMET in its entirety via a single instruction instead of having to bypass each mitigation individually.

Making this finding particularly important is that the researchers found that 80 percent of browsers run in a WOW64 environment, which means the vast majority of systems are vulnerable to memory attacks.

The researchers recommended using native 64-bit applications whenever possible and added that while EMET does have its flaws using it is imperative as it's still part of any defense-in-depth strategy.

Kemp and Davidov told Threat Post they contacted Microsoft alerting them of the danger, but they noted fixing the problem is unlikely due to the amount of work that would need to be done.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS