Jump to content

[EMET] MBAE, EMET (Deep Hooks and ROP Mitigation)


Conan

Recommended Posts

Hello, using MBAE and EMET (with Deep Hooks and ROP Mitigation) crashes chrome browser.

 

If I use MBAE and EMET (with Deep Hooks and all ROP Mitigation are disabled) - Chrome starts

If I use MBAE and EMET (without Deep Hooks and all ROP Mitigation are enabled) - Chrome starts

If I use MBAE disabled and EMET (with Deep Hooks and all ROP Mitigation are enabled) - Chrome starts

 

 

Link to post
Share on other sites

  • Staff

Yes, EMET seems to have quite a bit of problems with Chrome. In fact Google posted a blog some time ago saying that users should NOT protect Chrome with EMET.

 

On the other hand MBAE is fully compatible with Chrome and we are working to also make it fully compatible with EMET.

Link to post
Share on other sites

Concerning Google Chrome on Windows XP SP3 with EMET 4.1

Without an obvious system change, Google Chrome became unresponsive after it was started (last evening it worked as it should). I was able to get Chrome working in the following circumstances: -

1. Deep Hooks disabled in EMET 4.1, MBAE Anti-Exploit protection enabled and all EMET 4.1 mitigations enabled except EAF for Chrome.

2. Deep Hooks enabled in EMET 4.1, MBAE Anti-Exploit protection disabled and all EMET 4.1 mitigations enabled except EAF for Chrome.

3. Deep Hooks enabled in EMET 4.1, MBAE Anti-Exploit protection enabled and EAF, Load lib, MemProt, Caller, SimEx and Stack pivot mitigations disabled for Chrome in EMET 4.1.

Subsequent to these evolutions, Acrobat 6 Professional would not start fully.

A system restart seems to have restored stability and Acrobat 6 Pro now works again as it had previously and should with all EMET 4.1 mitigations and Deep Hooks enabled.


On a second Windows XP SP3 system, Google Chrome runs with Deep Hooks enabled and all mitigations for Chrome except EAF enabled.

Link to post
Share on other sites

  • Staff

Seeing all the problems that exist between EMET and Chrome prior to the introduction of MBAE, I'm not sure fixing a tri-part compatibility issue between EMET, Chrome and MBAE will be a priority since the root of the problems is basically between EMET and Chrome. MBAE and Chrome don't seem to have a problem. Following Google's advice, I would recommend not using EMET to protect Chrome and relying on MBAE for Chrome protection against exploits.

Link to post
Share on other sites

That view seems quite reasonable.  Google's advice is surely authoritative.

 

Coincident on my previous comment, I have noticed that Adobe Reader 11 now runs in protected mode on that system with EMET mitigations enabled except for Caller, SimEx and Stack Pivot.  Previously it would not run in protected mode with all mitigations in EMET disabled (that is there was an entry for AcroRd32.exe in EMET with ALL mitigations unchecked).

Link to post
Share on other sites

Correction of my last comment:  Adobe Reader 11 was able to run with EMET mitigations as I stated BUT not when used in web mode, i.e. as a PDF reader in a web browser.  I had to revert to completely removing AcroRd32.exe from the EMET list.

 

:blush:

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.