Microsoft has released a new version of its software exploit defense toolkit that offers enhanced capabilities...
to block plug-ins commonly used in zero-day attacks.
Officially announced Thursday, the Microsoft Enhanced Mitigation Experience Toolkit (EMET) 5.0 is a free software add-on for Windows that hardens the platform against common attack techniques such as man-in-the-middle attacks and memory attacks like buffer overflows.
The first generally available update since last July, EMET 5.0 incorporates several new capabilities. According to Microsoft, a new feature called Attack Surface Reduction (ASR) blocks specific application modules or plug-ins. It can be used to prevent oft-exploited plug-ins like Java or Flash from loading in Windows applications.
ASR can be configured to allow certain plug-ins to run in some instances, such as intranet applications deemed safe, while blocking them elsewhere, such as on the Web or in Word or Excel files.
Another new feature, called Export Address Table Filtering Plus (EAF+), builds on existing EAF capabilities with two new safeguards. One is additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules. The other is the prevention of memory-read operations in certain instances when they originate from suspicious code that may be an indicator of memory-corruption bugs.
According to a blog post by Microsoft's EMET team, EAF+ is essentially a counter to a counter. It helps detect and disrupt attackers that seek to dynamically discover and execute code using Return Oriented Programming, an exploit technique used to bypass otherwise reliable defenses such as non-executable memory and digitally signed code.
EMET 5.0 also adds new support for 64-bit processes and enables more aggressive Certificate Trust rules so that Internet Explorer can terminate an SSL connection without sending session data.
For years Microsoft has advocated the use of EMET to ward off zero-day exploits, particularly among enterprises, noting that correct use of EMET would ward off up to 90% of attacks against Windows.
Microsoft launched a technical preview of EMET 5.0 at RSA Conference 2014 in San Francisco. More recently, researchers with Bromium Labs recently uncovered a method for bypassing all of EMET's protections, but experts affirmed that the toolkit remains a valuable shield for enterprises using Windows.