Microsoft's EMET Security Tool Requires App Compatibility Testing
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is designed to ward off security problems from code exploits, but it can also spell trouble for some apps.
EMET emerged from Microsoft about five years ago as an alternative check to software security threats, but using it comes with a risk that users will encounter application compatibility issues. Microsoft's lists just a few apps with known incompatibilities, including Skype, the NetFlix Silverlight app, ATI drivers, the iPod sync service and an AOL plug-in, at this TechNet forum page. However, the forum includes comments from many others describing apparent app incompatibility issues.
Organizations may have been drawn to using EMET recently because of a critical zero-day flaw in Microsoft's Internet Explorer browser that was disclosed late last month in a Microsoft security advisory. The use of EMET 4.1 was one of the recommended approaches mentioned by Microsoft before it rolled out an out-of-band patch for IE this month.
Microsoft rolled out EMET 4.1 Update 1 in late April, with a few improvements. There's also EMET 5.0 technical preview, but it's not recommended for production use quite yet. Both EMET 4.0 and EMET 4.1 were recommended by Microsoft as effective blocking tools against the IE zero-day flaw, although they lack some protections found in EMET 5.0, according to Microsoft's security advisory description.
The solution to EMET's app compatibility issues is to troubleshoot what hangs an app, according to Kurt Falde, a Microsoft premium field engineer. Falde described the steps to take when encountering a crashed app in a blog post this week. An app that crashes with EMET running will typically show a dialog box that provides an explanation for the crash.
The example Falde described was a crashed Excel app. The app reported a check from the data execution prevention (DEP) feature of EMET, which he said was an "actual EMET-sourced event." The solution, in such cases, is to uncheck the DEP selection for the Excel app to see if it will start working again, he explained. Organizations can also contact the app's developer (in this case, Microsoft) to address app compatibility problem, he explained.
The other approach is to uninstall EMET, but Falde described that as "a little bit overboard." Uninstalling EMET has a side effect in that it "may not return system-wide protections (DEP/SEHOP/ASLR) to their previous configurations," he explained.
EMET provides "pseudo mitigation technologies" against general attack techniques, rather than delivering specific security fixes. It has three pieces, according to Falde, in a March 12 RunAs Radio podcast. The first piece checks configuration settings on the operating system, including DEP, address space layout randomization (ASLR) and structured exception handling overwrite protection (SEHOP). The second piece has to do with "certificate pinning," which verifies the root certificate authority. The third piece to EMET is the program's actual mitigations based on software profiles.
EMET typically gets installed on client machines. It inserts an application compatibility framework within apps, Falde explained, in the podcast. It has a "negligible" overhead effect on system resources, consuming some CPU cycles and extra memory, he added.
EMET brings the risk of application compatibility problems, so IT pros may have to tinker with it, although Falde suggested in the podcast that EMET was good enough for home use as well.
Application compatibility is specifically listed as a risk of using EMET by Microsoft.
"The security mitigation technologies that EMET uses have an application-compatibility risk," Microsoft's EMET FAQ states. "Some applications rely on exactly the behavior that the mitigations block."
Falde recommended running a pilot test of EMET. An IT pro should test EMET with all of the organization's apps first before running it in a production environment. EMET has an advantage over antimalware software in being capable of catching zero-day exploits. Falde said that EMET provided valid protection against four of five zero-day threats in Microsoft's 2012 statistics.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.