Security Advisor

Microsoft Strengthens EMET Toolkit In Wake of Bypass

Microsoft announced the availability of EMET 5.0 Technical Preview at this week's RSA Conference.

Microsoft on Tuesday announced that its Enhanced Mitigation Experience Toolkit (EMET) 5.0 Technical Preview is now available.

Microsoft made the announcement at this week's RSA Conference in San Francisco, Calif., and said the latest preview of its free security utility used for protection against software vulnerabilities comes with new features to block some of the more recent attacks that have surfaced over the past few months.

"The techniques used in these attacks have inspired us with new mitigation ideas to disrupt exploitation and raise the cost to write reliable exploits," said Microsoft in a blog post. "The EMET 5.0 Technical Preview also implements additional defensive mechanisms to reduce exposure from attacks."

One of the key issues the technical preview will fix is this security firm Bromium Labs' EMET bypass that was detailed earlier in the week at the security conference. According to the firm, it is possible for attackers to construct a workaround that would nullify any of EMET's protective measures.

"We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit)," wrote Bromium's Jared DeMott in a blog posted Monday. "But we wondered: Is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET."

While the security hole was only publicly disclosed this week, the security firm alerted Microsoft to the issue at an earlier date, allowing for Microsoft to address the vulnerability before making the technical preview available.

New Features
Microsoft said that besides a handful of minor changes from the previous EMET version, EMET 5.0 will include two new features: Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+).

ASR will look to block plugins, like Java or Flash, from automatically running once a program that has the plugin associated with is opened. An example given was setting a rule that will have EMET automatically block the Adobe Flash Player plugin from initializing if a Microsoft Word document is opened with any Flash elements embedded.

The feature came about, according to Microsoft, after public request for such a feature after a Java Internet Explorer zero-day incident surfaced last year.

"In mid-2013, we published a Fix it solution to disable the Oracle Java plug-in in Internet Explorer," wrote Microsoft. "We received a lot of positive feedback and a number of suggestions on how we could improve the Fix it. The most recurring suggestion we received was to allow the Oracle Java plug-in on intranet websites, which commonly run Line-of-Business applications written in Java, while blocking it on Internet Zone websites."

The second major new feature, EAF+, adds to its previous Export Address Table Filtering feature by protecting low-level modules and blocking attacks that are used to build return orientated programming (ROP) gadgets in memory. When manually turned on, EAF+ will include protection from KERNELBASE exports (NTDLL.DLL and KERNEL32.DLL, for example), will initialize additional integrity checks on stack limits and stack registers when read from a low-level module and block memory read operations on protected export tables from suspicious modules.

Microsoft's goal in releasing a technical preview is to get customer feedback before the final version of EMET 5.0 is released. The free security tool preview can be downloaded here.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube