EMET bypass in Wow64 Windows subsystem

One of the greatest strengths of the Windows operating system is backwards compatibility. Many classic programs from the DOS-age or early-Windows days are still running fine on modern versions of Windows.

Along with the strength comes a weakness, as exploits may target these legacy systems.

Researchers at Duo Security discovered an issue in Microsoft's Enhanced Mitigation Experience Toolkit (EMET) that allows them to bypass the protection it adds to the system by using the WoW64 compatibility layer provided by 64-bit versions of Windows.

WoW, or Windows on Windows, enables 32-bit applications to run on 64-bit machines. While most Windows systems these days are 64-bit machines, many of the programs run on these machines are not.

WoW64 is part of all 64-bit versions of Windows including Windows 7, Windows 8.1 and Windows 10 as well as all server editions of the operating system.

The WoW64 subsystem comprises a lightweight compatibility layer that has similar interfaces on all 64-bit versions of Windows. It aims to create a 32-bit environment that provides the interfaces required to run unmodified 32-bit Windows applications on a 64-bit system.

For web browsers for example the researchers found out, that 80% are still 32-bit processes that execute on the 64-bit host machine, 16% are 32-bit processes executed on 32-bit hosts, and only 4% true 64-bit processes (based on a week-long sample of browser authentication data for unique Windows systems).

One core finding was that EMET mitigations are far less effective under the Wow64 subsystem and that changing that would require major modifications to how EMET works.

The researchers are aware of the fact that EMET mitigations have been disclosed before but most deal with bypassing mitigations individually. Their method on the other hand enables them to bypass all payload/shellcode execution and ROP-related mitigations in a " a generic, application-independent way, using the WoW64 compatibility layer provided in 64-bit editions of Windows".

A research paper is available in PDF format. You may download it from the Duo Security website directly.

You are probably wondering what the take-away is. The researchers suggest to use native 64-bit applications whenever 32-bit and 64-bit versions of a program are available.

The main reason for that is that 64-bit binaries offer security benefits and make "some aspects of exploitation more difficult".

EMET is still recommended by the researchers as it "continues to raise the bar for exploitation" and "is still an important part of a defense-in-depth strategy".

Now You: Do you run EMET or other mitigation software on Windows?