3
1
I run EMET on my Windows machines. It works great - it stop a number of threats in their tracks by enforcing some mitigations on applications. I can't count how many times it stopped Internet Explorer due to a website trying to exploit a bug...
I'm having a problem with Word 2013 under EMET. Whenever I create a new document and then save it, EMET stops Word. Whatever triggers EMET, its related to clicking/tapping the Browse button under Save As. So its related to the File Save dialog (open and save are OK through keyboard shortcuts. Its specifically the File Save dialog).
When EMET stops Word, the following error is written to the application event log:
EMET detected Caller mitigation and will close the application: WINWORD.EXE
Caller check failed:
Application : C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
User Name : Windows8\John Doe
Session ID : 1
PID : 0xBE4 (3044)
TID : 0x6DC (1756)
API Name : ntdll.NtCreateFile
ReturnAddress : 0x165EB24A
CalledAddress : 0x7729CE80
TargetAddress : 0x165EA820
StackPtr : 0x04ECF494
I don't know what EMET found offensive, so I can't turn it off in the application's configuration (i.e., Word's particular remediations under EMET). Here's what the choices look like. I already switched off EAF
and EAF+
because EMET specifically complained about them earlier (DEP is off because I'm grasping at straws):
How can I determine what EMET caller mitigation was invoked on Word?
These are probably related: IE 10 crashes on 'File Upload' when using EMET. But the linked question triggers EMET on a File Upload in IE.
For future visitors, I needed to turn *OFF* EAF, EAF+ and ROP Caller Check in Word under Windows 8. I suspect Internet Explorer has the same problem (I used to get a similar (same?) crash on Windows 7/IE 10/EMET during a Save As operation). But I'd still like to know how to determine the problem EMET mitigated, rather than guessing. – jww – 2015-01-13T01:49:20.020
1JWW, I agree about the use of EMET. Though I've added a number of applications that open documents or web pages to EMET, it has been difficult to find out which mitigations cause the application to break. Most run with EAF+ and ASR turned off, but Firefox, Media Player Classic-HC and others need DEP disabled and so forth. It is surprising that EMET comes misconfigured for MS Word, as both are MS products! If you find a site with guidelines for EMET for common apps, please post it. Thanks. – DrMoishe Pippik – 2015-01-13T02:19:24.870
What version of EMET specifically – Ramhound – 2015-01-13T03:52:40.187
@Ramhound - EMET 5.1. Everything is fully patched. – jww – 2015-01-13T16:47:37.527