News

Microsoft Offers Mitigation Security Tool for ISVs

Microsoft wants you to know that even as you read this article, "people around the world are hunting for vulnerabilities in software applications."

To help thwart such efforts, Microsoft this week announced a new mitigation security utility for application developers and IT professionals. The Enhanced Mitigation Evaluation Toolkit (EMET), currently at Version 1.0.2, is conceived as an "extensible framework" that will include future mitigation technologies as they are released, according to a Microsoft blog.

This EMET release contains just four mitigations: dynamic data execution prevention, heap spray allocation, NULL page allocation and structured exception handing. EMET users can opt into these mitigations for their applications by using the command line in the utility. Users don't have to have to recompile their applications after using the tool, according to the blog.

EMET is the latest component in Microsoft's overall Security Development Lifecycle strategy. It allows developers to write security into applications at a more granular or "command-line" level. Thus, instead of securing an entire application, programmers can code security parameters into a single process.

Security mavens like the idea of going deep into the anatomy of an application rather than just relying on anti-virus software or operating system security functions. For instance, Phil Lieberman, president of Lieberman Software, called EMET "a good value-add for Microsoft ISVs [independent software vendors]."

EMET allows Windows enterprise pros to "harden their applications for free," which is "always a good price," Lieberman said.

"This adds an extra post-production step that allows ISVs to make it much harder for hackers to exploit their applications," he added. "The extra post-production step hardens the rules for memory usage (finer grained protection) and also strengthens the exception mechanisms."

As hackers begin to focus more on specific applications, developers have begun to pay more attention to embedded security. EMET is worth a try in the face of server attacks, automated bugs, browser attacks and stack-buffer overflow exploits, according to Andrew Storms.

"Every third-party partner, application developer or part time coder should at least consider checking out the new EMET from Microsoft," said Storms, director of security at nCircle. "The toolkit makes it even easier to utilize the newest security enhancement mitigations built into the newer Microsoft operating systems."

EMET Version 1.0.2 can be accessed at the Microsoft Download Center here.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

  • AzCopy Preview Adds AWS S3 Data Transfer Improvements

    Microsoft announced this week that it has improved the preview version of its AzCopy tool to better handle Amazon Web Services (AWS) S3 data.

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.