Security Advisor

Microsoft Strengthens EMET Toolkit In Wake of Bypass

Microsoft announced the availability of EMET 5.0 Technical Preview at this week's RSA Conference.

Microsoft on Tuesday announced that its Enhanced Mitigation Experience Toolkit (EMET) 5.0 Technical Preview is now available.

Microsoft made the announcement at this week's RSA Conference in San Francisco, Calif., and said the latest preview of its free security utility used for protection against software vulnerabilities comes with new features to block some of the more recent attacks that have surfaced over the past few months.

"The techniques used in these attacks have inspired us with new mitigation ideas to disrupt exploitation and raise the cost to write reliable exploits," said Microsoft in a blog post. "The EMET 5.0 Technical Preview also implements additional defensive mechanisms to reduce exposure from attacks."

One of the key issues the technical preview will fix is this security firm Bromium Labs' EMET bypass that was detailed earlier in the week at the security conference. According to the firm, it is possible for attackers to construct a workaround that would nullify any of EMET's protective measures.

"We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit)," wrote Bromium's Jared DeMott in a blog posted Monday. "But we wondered: Is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET."

While the security hole was only publicly disclosed this week, the security firm alerted Microsoft to the issue at an earlier date, allowing for Microsoft to address the vulnerability before making the technical preview available.

New Features
Microsoft said that besides a handful of minor changes from the previous EMET version, EMET 5.0 will include two new features: Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+).

ASR will look to block plugins, like Java or Flash, from automatically running once a program that has the plugin associated with is opened. An example given was setting a rule that will have EMET automatically block the Adobe Flash Player plugin from initializing if a Microsoft Word document is opened with any Flash elements embedded.

The feature came about, according to Microsoft, after public request for such a feature after a Java Internet Explorer zero-day incident surfaced last year.

"In mid-2013, we published a Fix it solution to disable the Oracle Java plug-in in Internet Explorer," wrote Microsoft. "We received a lot of positive feedback and a number of suggestions on how we could improve the Fix it. The most recurring suggestion we received was to allow the Oracle Java plug-in on intranet websites, which commonly run Line-of-Business applications written in Java, while blocking it on Internet Zone websites."

The second major new feature, EAF+, adds to its previous Export Address Table Filtering feature by protecting low-level modules and blocking attacks that are used to build return orientated programming (ROP) gadgets in memory. When manually turned on, EAF+ will include protection from KERNELBASE exports (NTDLL.DLL and KERNEL32.DLL, for example), will initialize additional integrity checks on stack limits and stack registers when read from a low-level module and block memory read operations on protected export tables from suspicious modules.

Microsoft's goal in releasing a technical preview is to get customer feedback before the final version of EMET 5.0 is released. The free security tool preview can be downloaded here.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus