What are the new features in Microsoft's Enhanced Mitigation Experience Toolkit 5.0 and how can enterprises benefit...
from their use, especially those that still have Windows XP machines?
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) was first released in 2009 and has become an important layer of enterprise defenses, helping many organizations prevent software vulnerabilities from being successfully exploited.
Most of its protection technologies are standard in Windows 8.1, but for those running older versions of the Windows operating system -- such as Windows XP Service Pack 3 -- it provides several mitigations, including Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and Structured Exception Handling Overwrite Protection, that block exploit attempts targeting memory vulnerabilities.
However, as attack methods and exploit payloads continue to evolve, researchers have developed techniques for bypassing some of EMET's mitigations. Recently, researchers at Bromium Labs developed a complete EMET bypass. To combat developments like this and incorporate feedback from clients, Microsoft released the EMET 5.0 Technical Preview, allowing users to test out new features aimed at disrupting and blocking the attacks that EMET has experienced over the past several months.
Many network administrators will certainly welcome EMET 5.0's new Attack Surface Reduction feature, as it provides more control over how plug-ins are loaded into applications. Despite the many risks Java and Adobe Flash expose users to, banning these plug-ins completely is not a realistic option for most organizations, as critical line-of-business applications are often Java-based and require Flash to function. With EMET 5.0, Java plug-ins can be restricted to running only in specific security zones (like the Intranet zone) and the Adobe Flash Player plug-in can be configured to load only in a browser and not in Office applications such as Word or Excel (embedding malicious Flash files inside Office documents is a common attack technique).
Ask the expert
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)
The other main feature EMET 5.0 introduces to defeat advanced attacks is Export Address Table Filtering Plus (EAF+), an improved version of EAF that has additional safeguards and enhanced capabilities to block certain exploitation techniques used to build dynamic return-oriented programming (ROP) gadgets in memory from export tables. ROP-based exploitation code has been found in a lot of malware over the past year as a means of bypassing ASLR and DEP protection. Following work with third-party software vendors, Microsoft has fixed several application compatibility issues, including the MemProt mitigation that affected Adobe Reader in particular. This means that Deep Hooks API protections can be enabled in the Technical Preview to assess the possibility of having it turned on by default in the final 5.0 release. (This mitigation technology has proven to be effective against certain advanced exploits using ROP gadgets with lower level APIs, such as the Bromium bypass mentioned earlier).
Administrators can configure which applications they want to protect through which mitigation techniques and then use EMET's built-in support for Group Policy and System Center Configuration Manager to deploy it. For enterprises struggling to upgrade machines from Windows XP, EMET is an essential layer of protection during the upgrade process, as its logs can provide insight into which systems are most at risk.
EMET is great value -- it's free -- and it does improve security, particularly for older versions of Windows. However, it can't provide complete protection. Microsoft's stated objective for EMET is to raise the cost of exploitation for hackers; it's not meant to be a long-term cure for vulnerabilities in legacy IT systems, but to provide breathing space until a more permanent fix can be deployed, such as a patch, upgrade or antimalware update. As Bromium researchers found, EMET isn't foolproof, but deploying it across the enterprise can block many common attack techniques, making it harder for hackers to gain a foothold on systems that don't natively support these latest mitigation technologies.
The purpose of releasing a technical preview is so Microsoft can gather customer feedback to improve the final release, which is likely to happen later this year. This isn't just a marketing ploy; the release of version 4.1 was delayed following feedback from a beta user. Users can download EMET 5.0 Technical Preview from the Microsoft Download Center.
Dig Deeper on Microsoft Windows security
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.