Security Advisor

Microsoft Strengthens EMET Toolkit In Wake of Bypass

Microsoft announced the availability of EMET 5.0 Technical Preview at this week's RSA Conference.

Microsoft on Tuesday announced that its Enhanced Mitigation Experience Toolkit (EMET) 5.0 Technical Preview is now available.

Microsoft made the announcement at this week's RSA Conference in San Francisco, Calif., and said the latest preview of its free security utility used for protection against software vulnerabilities comes with new features to block some of the more recent attacks that have surfaced over the past few months.

"The techniques used in these attacks have inspired us with new mitigation ideas to disrupt exploitation and raise the cost to write reliable exploits," said Microsoft in a blog post. "The EMET 5.0 Technical Preview also implements additional defensive mechanisms to reduce exposure from attacks."

One of the key issues the technical preview will fix is this security firm Bromium Labs' EMET bypass that was detailed earlier in the week at the security conference. According to the firm, it is possible for attackers to construct a workaround that would nullify any of EMET's protective measures.

"We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit)," wrote Bromium's Jared DeMott in a blog posted Monday. "But we wondered: Is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET."

While the security hole was only publicly disclosed this week, the security firm alerted Microsoft to the issue at an earlier date, allowing for Microsoft to address the vulnerability before making the technical preview available.

New Features
Microsoft said that besides a handful of minor changes from the previous EMET version, EMET 5.0 will include two new features: Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+).

ASR will look to block plugins, like Java or Flash, from automatically running once a program that has the plugin associated with is opened. An example given was setting a rule that will have EMET automatically block the Adobe Flash Player plugin from initializing if a Microsoft Word document is opened with any Flash elements embedded.

The feature came about, according to Microsoft, after public request for such a feature after a Java Internet Explorer zero-day incident surfaced last year.

"In mid-2013, we published a Fix it solution to disable the Oracle Java plug-in in Internet Explorer," wrote Microsoft. "We received a lot of positive feedback and a number of suggestions on how we could improve the Fix it. The most recurring suggestion we received was to allow the Oracle Java plug-in on intranet websites, which commonly run Line-of-Business applications written in Java, while blocking it on Internet Zone websites."

The second major new feature, EAF+, adds to its previous Export Address Table Filtering feature by protecting low-level modules and blocking attacks that are used to build return orientated programming (ROP) gadgets in memory. When manually turned on, EAF+ will include protection from KERNELBASE exports (NTDLL.DLL and KERNEL32.DLL, for example), will initialize additional integrity checks on stack limits and stack registers when read from a low-level module and block memory read operations on protected export tables from suspicious modules.

Microsoft's goal in releasing a technical preview is to get customer feedback before the final version of EMET 5.0 is released. The free security tool preview can be downloaded here.

About the Author

Chris Paoli is the site producer for and


  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.