Researchers have developed attack code that completely bypasses Microsoft's zero-day prevention software, an impressive feat that suggests criminal hackers are able to do the same thing when exploiting vulnerabilities that allow them to surreptitiously install malware.

The exploit code, which was developed by researchers from security firm Bromium Labs, bypasses each of the many protections included in the freely available EMET, which is short for Enhanced Mitigation Experience Toolkit, according to a whitepaper published Monday. Microsoft has long held out EMET as an important tool for extending the security of Windows computers. The proof-of-concept exploit shows the limitations of those protections. The Bromium exploit included an example of a real-world attack that was able to circumvent techniques designed to mitigate the damage malicious code can do when targeting security bugs included in third-party applications.

"The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection," Bromium Labs researchers wrote in a blog post. "This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there's no 'higher' ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use."

The Bromium research was presented Monday at the BSides SF 2014 security conference in San Francisco. The researchers said their attack was able to slice through each of the protections available in EMET, including stack pivot protection, export address table access filtering, and measures to block a malicious coding technique known as return-oriented programming. The researchers privately informed security personnel at Microsoft before going public with their findings; the software giant plans to credit the research when releasing the upcoming version 5 of EMET. Among the researchers who developed the exploit was Jared Demott, who earned third place in the Bluehat contest, in which Microsoft paid cash awards for the creation of exploit mitigations.

Microsoft worked with Bromium on the original research, Jonathan Ness, principal security development manager in Microsoft's Trustworthy Computing group said in a statement. What's more, EMET 4.1, which was released several months ago, already contained a setting to address some issues and help customers. Ness didn't answer Ars's question asking when EMET 5 would be released. Despite Microsoft's work to update EMET, the Bromium Labs researchers warned that there may not be much Microsoft developers can do to fix some weaknesses.

"The bypasses leverage generic limitations, and are not easily repaired," they wrote.

As complete and effective as the Bromium Labs exploit is, the researchers said that EMET may still be worth using, depending on the specific computers being protected. They explained:

However, as was seen in our research, deploying EMET does mean attackers have to work a little bit harder; payloads need to be customized, and EMET bypass research needs to be conducted. Thus, EMET is good for the price (free), but it can be bypassed by determined attackers. Microsoft freely admits that it is not a perfect protection, and comments from Microsoft speakers at conference talks admit that as well. The objective of EMET is not perfection, but to raise the cost of exploitation. So the question really is not can EMET be bypassed. Rather, does EMET sufficiently raise the cost of exploitation? The answer to that is likely dependent upon the value of the data being protected. For organizations with data of significant value, we submit that EMET does not sufficiently stop customized exploits.

A recent in-the-wild attack that exploited a previously undocumented vulnerability in Internet Explorer was designed to remain dormant on machines running EMET. The takeaway from Monday's disclosure should be that EMET remains an effective—but by no means infallible—protection.