How to determine EMET caller mitigation?

3

1

I run EMET on my Windows machines. It works great - it stop a number of threats in their tracks by enforcing some mitigations on applications. I can't count how many times it stopped Internet Explorer due to a website trying to exploit a bug...

I'm having a problem with Word 2013 under EMET. Whenever I create a new document and then save it, EMET stops Word. Whatever triggers EMET, its related to clicking/tapping the Browse button under Save As. So its related to the File Save dialog (open and save are OK through keyboard shortcuts. Its specifically the File Save dialog).

When EMET stops Word, the following error is written to the application event log:

EMET detected Caller mitigation and will close the application: WINWORD.EXE

    Caller check failed:
      Application   : C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
      User Name     : Windows8\John Doe
      Session ID    : 1
      PID       : 0xBE4 (3044)
      TID       : 0x6DC (1756)
      API Name  : ntdll.NtCreateFile
      ReturnAddress     : 0x165EB24A
      CalledAddress     : 0x7729CE80
      TargetAddress     : 0x165EA820
      StackPtr  : 0x04ECF494

I don't know what EMET found offensive, so I can't turn it off in the application's configuration (i.e., Word's particular remediations under EMET). Here's what the choices look like. I already switched off EAF and EAF+ because EMET specifically complained about them earlier (DEP is off because I'm grasping at straws):

enter image description here

How can I determine what EMET caller mitigation was invoked on Word?

These are probably related: IE 10 crashes on 'File Upload' when using EMET. But the linked question triggers EMET on a File Upload in IE.

jww

Posted 2015-01-13T01:27:58.823

Reputation: 1

For future visitors, I needed to turn *OFF* EAF, EAF+ and ROP Caller Check in Word under Windows 8. I suspect Internet Explorer has the same problem (I used to get a similar (same?) crash on Windows 7/IE 10/EMET during a Save As operation). But I'd still like to know how to determine the problem EMET mitigated, rather than guessing. – jww – 2015-01-13T01:49:20.020

1JWW, I agree about the use of EMET. Though I've added a number of applications that open documents or web pages to EMET, it has been difficult to find out which mitigations cause the application to break. Most run with EAF+ and ASR turned off, but Firefox, Media Player Classic-HC and others need DEP disabled and so forth. It is surprising that EMET comes misconfigured for MS Word, as both are MS products! If you find a site with guidelines for EMET for common apps, please post it. Thanks. – DrMoishe Pippik – 2015-01-13T02:19:24.870

What version of EMET specifically – Ramhound – 2015-01-13T03:52:40.187

@Ramhound - EMET 5.1. Everything is fully patched. – jww – 2015-01-13T16:47:37.527

Answers

2

I saw the same problem with Word 2013 (Office Home and Business 2013 v15.0.4779.1002) on Win7 Prof. 64-bit with EMET 5.5.5736.25442: I had a docx opened in compatibility mode and when I tried to switch to "FILE" in the ribbon to convert it, Word immediately crashed.

Initially, for the app WINWORD.EXE, everything was activated in EMET except EAF+ and Fonts. I only had to additionally deactivate Caller (ROP Caller Check) to avoid these crashes.

Thomas Popp

Posted 2015-01-13T01:27:58.823

Reputation: 51

Rather than go into great detail about how you had the same problem, explain details of how you fixed the issue. If you have references to supporting documents, add those to support your claim. – CharlieRB – 2016-02-19T14:11:30.933

1Dear @CharlieRB, I'm quite sure that in the sentence printed in bold, I explained in full detail how I fixed the issue. Furthermore, there were no additional "supporting documents", just the initial posting I was answering to - sorry for that, but should I really note that down explicitly (every time it is the case)? And as far as I get logic right, I didn't make a claim but reported a fact. Finally, your know-it-all statement about the "great detail" I should better not go into is just amusing and in my view doesn't support your claim of being an IT technician etc. in your profile. Regards. – Thomas Popp – 2016-02-21T15:30:00.580

Sorry to have offended you. I was giving feedback to help improve the quality of your answer for the sake of the community we call Super User. Documentation found during research if helpful, but not required. It just backs up claims of a proper answer. There is no reason for personal attacks. – CharlieRB – 2016-02-21T18:31:55.930

Dear @CharlieRB, I'm also sorry for my harsh reaction. But I was really upset by your comment: I clearly describe the fix that worked for me and as long as I have been working in IT business now (almost 20 years), details about how an error can be reproduced and the environment (program versions etc.) have always been among the first things to be asked. And that you still denote my answer as claim is just strange. Of course it would have been better to put my answer as a comment to the original post, but I'm not (yet) allowed to add such a comment. I just thought my finding might be helpful... – Thomas Popp – 2016-02-22T12:32:18.257

Asked: 2015-01-13T01:27:58.823

Viewed: 10 479 times

Active: 2016-03-22T02:49:25.713