Solved

emet crashing IE 10

Posted on 2014-10-24
5
2,254 Views
Last Modified: 2014-11-03
Hello we just updated our users to IE 10 and Emet crashes IE

EMET detected Caller mitigation and will close the application: IEXPLORE.EXE

Caller check failed:
  Application       : C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  User Name       :
  Session ID       : 1
  PID             : 0xD40 (3392)
  TID             : 0x3F0 (1008)
  API Name       : ntdll.NtAllocateVirtualMemory
  ReturnAddress       : 0x6838F5E8
  CalledAddress       : 0x77CDFAC0
  StackPtr       : 0x0293F120

 The odd thing this started on all the computers after a few hours of use. Has anyone ever seen this ?
0
Comment
Question by:Steelers4life
  • 2
  • 2
5 Comments
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 40403450
Do check out the forum to feedback as most of time may be the plugin (like flash or recent add on plugin, if any) in or background AV on demand contributing this, another quick means is to try disabling just EAF & Stack Pivot (not EAF+) and it has worked for most (including other using IE11 on Windows 7 32)
https://social.technet.microsoft.com/Forums/security/en-US/d1ff5dad-9d92-4b95-87ec-c026a69663fc/ie-10-crash-with-emet-5?forum=emet

also note - Apparently the design decision was made in EMET 5 to disable Flash for the internet zone. I rather turn it on and have ActiveX filtering disable Flash except for a few select websites. probably has to drill the EMET v5 default disabling ...

https://social.technet.microsoft.com/Forums/security/en-US/0902e272-40b4-4fdd-8a1d-f6f98a17e67f/emet-50-tp-ie-11-flash-broken?forum=emet
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 40404415
We've seen EMET 5.0 crashing, but not 4.1, but only when our 64-bit users close IE or Office mostly, the applications simply restart.the programs thinking they didn't exit cleanly. We tried disabling EAF, EAF+ and Stack Pivot. I'm not sure why, so we've had to stick to 4.1 so far for our 64-bit users.
-rich
0
 
LVL 9

Author Comment

by:Steelers4life
ID: 40405073
Thanks we removed it to stop the bleeding. We were using 4.1 on 64 bit maxhines
0
 
LVL 61

Expert Comment

by:btan
ID: 40405525
thanks for sharing, meanwhile, there is a unpatched zero day CVE-2014-6352 which MS advisory stated EMETv5 as workard using the ASR (for flash*.ocx;packager.dll) - it disabled EAF, EAF+ & Stack Pivot for "dllhost.exe" but enabled them for the "POWERPNT.EXE". There is UAC enabled as well. You may want to take note for decision making in this period of exposure
https://technet.microsoft.com/en-us/library/security/3010060.aspx
0
 
LVL 9

Author Closing Comment

by:Steelers4life
ID: 40419670
Neither of these really solved the problem but I give credit to anyone that helps.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now