Microsoft launches technical preview of Emet 5.0

Warwick Ashford

Microsoft has launched the technical preview of the latest version of its free enhanced mitigation experience toolkit (Emet) at RSA Conference 2014 in San Francisco.

First introduced in late 2009, Emet is designed to help enterprises block targeted attacks against zero-day vulnerabilities in older Microsoft platforms and third-party or line-of-business applications.

120815_013.jpg

Andrea Danti - Fotolia

“We want security researchers and IT pros to try it out and give us feedback to make it better before we release version 5.0 later this year,” said Jonathan Ness, principal security development manager at Microsoft Trustworthy Computing.

Version 5.0 adds two new protections for enterprises on top of the 12 built-in security mitigations included in version 4.1.

First, an attack surface reduction mitigation helps enterprises protect third-party and custom-built applications by selectively enabling Java, Adobe Flash Player and Microsoft or third-party plugins.

“Enterprises can configure Java to load on the intranet for line-of-business applications but not on the internet,” Ness told Computer Weekly.

“Most businesses need Java only internally, but this opens them up to vulnerabilities on the internet. Emet 5.0 enables enterprises to block Java where they do not need it,” he said.

Similarly, Adobe Flash Player can be configured to work only in browsers but not in Microsoft Office products that can be used as a delivery mechanism for malware exploiting Flash vulnerabilities.

Second, Emet version 5.0 introduces enhancements to the existing export address table filtering (EAF) mitigation available in the current version 4.1 that is aimed at blocking shell code.

According to the Emet development team, EAF+ consolidates protection of lower-level modules and prevents certain exploitation techniques used to build dynamic return-oriented programming (ROP) gadgets in memory from export tables.

“The improved rules and heuristics can, for example, prevent Flash exploits used to bypass address space layout randomisation (ASLR) and data execution prevention (DEP),” said Ness.

The Emet development team said when EAF+ is enabled, it will add safeguards over and above the existing EAF checks. These include:

  • Protection for Kernelbase exports in addition to the existing NTDLL.DLL and Kernel32.DLL;
  • Additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules;
  • Prevention of memory read operations on protected export tables when they originate from suspicious modules that may reveal memory corruption bugs used as “read primitives” for memory probing.

These two enhancements improve Emet’s ability to divert, terminate, block or invalidate the most common actions and techniques attackers might use in compromising a computer.

“Enterprises in all industry segments and of all sizes rely on Emet as a key component of their defence-in-depth strategies and has proven to be good against attacks in the wild,” said Ness.

Emet is recommended by the US Department of Defense (DoD) and other influential bodies, which Microsoft hopes will help drive adoption of Emet even further.

The launch of the Emet 5.0 technical preview comes a day after security firm Bromium published a study claiming to be able to bypass the protection offered by Emet version 4.1.

However, Ness said the test case presented by Bromium uses Emet without the Deep Hooks mitigation setting enabled and an exploit of Microsoft Internet explorer that has been patched.

“Enabling this setting addresses this issue,” he said.

The technical preview of Emet 5.0 enables the Deep Hooks mitigation setting to evaluate the possibility of having this setting turned on by default in the final Emet 5.0 release.

Emet developers said Deep Hooks has proven to be effective against certain advanced exploits using ROP gadgets with lower level application programming interfaces (APIs).

Finally, Emet developers said they have also introduced some additional hardening to protect Emet’s configuration when loaded in memory, and fixed several application compatibility issues.

“Not every enterprise will adopt Emet, but all enterprises that run Windows benefit from proven Emet attack mitigation techniques that are built into new version of the operating system,” said Ness.

 

COMMENTS powered by Disqus  //  Commenting policy