EMET is a security tool provided by Microsoft to improve exploit-resistance of software running on Windows. Enterprises and users can deploy EMET on systems and configure which applications are protected by it. EMET then injects code into the selected processes that adds protection against common exploit techniques, typically causing the process to terminate if behavior is detected that appears to indicate an attack. Google Chrome 35+ is built for Windows using VS 2013 and is not compatible with EMET's ROP chain detection, and Google Chrome 53+ built with PGO optimizations is not compatible with EMET's EAF+ mitigation. Specific Compatibility issuesSome applications cannot run with EMET protections because they have internal behavior that, to EMET, resembles an exploit in progress. This does not mean the applications are dangerous or are doing anything harmful to the user. In this case EMET causes the application to unexpectedly terminate even though no actual attack conditions are present. Two specific incompatibilities have been found with EMET: ROP chain detection and prevention (Chrome 35+)One specific issue we have encountered with Chromium compiled using VS 2013 relates to tail-call optimizations in wrapper functions for Windows APIs. By using jmp to enter the Windows API call from the wrapper, the Visual Studio compiler avoids an additional call/ret pair, and the API would return directly into the wrapper function’s caller rather than the wrapper function itself. However, EMET protects various ‘critical’ Windows APIs against an exploit technique known as Return-Oriented Programming (ROP), and one of these protections is incompatible with tail-call optimization. EMET’s code checks that the return address from the API call is immediately preceded by a call to that API, since in ROP exploits this will typically not be the case but in normal function calls it will. The tail-call optimization violates EMET’s assumption and causes a false positive result for exploit detection. EAF (Export Address Table Filtering) and EAF+ (Chrome 53+ 64-bit)EMET subsequently incorrectly falsely detects our optimizations as an exploit attempting to patch system DLLs and as a result will not allow any sandboxed processes to start. The bug tracking this is 643775. A current workaround is to remove chrome_child.dll from the EAF+ DLL allowlist. Fix and WorkaroundsWe are in contact with Microsoft to investigate and address these problems. Microsoft currently is already recommending that the EMET caller mitigation not be enabled for Chrome. Google recommend that EAF+ protection be disabled for Chrome, and we are working with Microsoft to update their guidance. UsersIn the meantime, users experiencing this problem with Chrome or Chromium-based browsers can resolve the issue by either:
The Chrome security team does not generally recommend the use of EMET with Chromium because it has negative performance impact and adds no security benefit in most situations. The most effective anti-exploit techniques that EMET provides are already built into Chromium or superseded by stronger mitigations.
|
Chromium > Chromium Security >