The Windows WoW64 subsystem used to support older (or newer) 32-bit applications on 64-bit architectures can be leveraged to bypass security measures added by Microsoft with the introduction of the Enhanced Mitigation Experience Toolkit (EMET).

WoW64, or "Windows 32-bit on Windows 64-bit," is a subsystem (component) of recent versions of the Windows operating system, which allow Windows 64-bit versions to run applications designed for 32-bit processors. WoW64 plays a crucial part in the Windows OS, working as a legacy layer that allows older tools to run on more modern hardware and software.

On the other hand, EMET is a collection of security measures packed into one single tool, which Microsoft uses to mitigate and protect Windows computers from vulnerabilities found in third-party applications.

In previous years, security researchers have proved many times that various other exploit mitigation tools and antivirus solutions lose their effectiveness when running on the WoW64 subsystem.

One single line of code can bypass EMET protection for WoW64 applications

As security researchers from Duo Labs have discovered, the same is now true for Microsoft's EMET, which, unlike previous studies, can even be bypassed with one single line of code.

As Duo Labs researchers explain, the problem relies on the fact that EMET was specifically designed to inspect 32- and 64-bit processes. What it does not cover as efficiently is WoW64 processes.

This opens the door for more targeted attacks, where malware can specifically search for WoW64 processes, bypass EMET, and then leverage known vulnerabilities in older 32-bit software.

Microsoft needs to fix either EMET or the WoW64 subsystem

The researchers claim that EMET is not at fault here, but Microsoft's OS design choices, which contradict themselves, are. While on one hand, the company is adding more and more top-of-the-line security measures into its OS, they are also undermining all of them by allowing legacy software to still run on the system.

While a more secure OS is an idealistic dream, the researchers don't blame Microsoft, because they also do understand the complexity and the fragmentation that make up the current OS and hardware market.

Their recommendation is for users to use 64-bit software whenever possible, and for Microsoft to continue to develop EMET, optimally adding support for WoW64 processes.

"Moving forward, we urge more researchers to treat WoW64 as a unique architecture when considering an application’s threat model," say Duo Labs researchers. "Under optimal conditions, EMET continues to raise the bar for exploitation. As such, it is still an important part of a defense-in-depth strategy."

More details and a case study can be found in Duo Labs' report.