App Compatability Issues May Occur with Microsoft's EMET Security Tool

Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) may not operate correctly for some apps.

EMET emerged from Microsoft about five years ago as an alternative check to software security threats, but using it comes with a risk that users will encounter application compatibility issues. Microsoft's lists just a few apps with known incompatibilities, including Skype, the NetFlix Silverlight app, ATI drivers, the iPod sync service and an AOL plug-in, at this TechNet forum page. However, the forum includes comments from many others describing apparent app incompatibility issues.

Organizations may have been drawn to using EMET recently because of a critical zero-day flaw in Microsoft's Internet Explorer browser that was disclosed late last month in a Microsoft security advisory. The use of EMET 4.1 was one of the recommended approaches mentioned by Microsoft before it rolled out an out-of-band patch for IE this month.

Microsoft rolled out EMET 4.1 Update 1 in late April, with a few improvements. There's also EMET 5.0 technical preview, but it's not recommended for production use quite yet. Both EMET 4.0 and EMET 4.1 were recommended by Microsoft as effective blocking tools against the IE zero-day flaw, although they lack some protections found in EMET 5.0, according to Microsoft's security advisory description.

The solution to EMET's app compatibility issues is to troubleshoot what hangs an app, according to Kurt Falde, a Microsoft premium field engineer. Falde described the steps to take when encountering a crashed app in a blog post this week. An app that crashes with EMET running will typically show a dialog box that provides an explanation for the crash.

The example Falde described was a crashed Excel app. The app reported a check from the data execution prevention (DEP) feature of EMET, which he said was an "actual EMET-sourced event." The solution, in such cases, is to uncheck the DEP selection for the Excel app to see if it will start working again, he explained. Organizations can also contact the app's developer (in this case, Microsoft) to address app compatibility problem, he explained.

The other approach is to uninstall EMET, but Falde described that as "a little bit overboard." Uninstalling EMET has a side effect in that it "may not return system-wide protections (DEP/SEHOP/ASLR) to their previous configurations," he explained.

EMET provides "pseudo mitigation technologies" against general attack techniques, rather than delivering specific security fixes. It has three pieces, according to Falde, in a March 12 RunAs Radio podcast. The first piece checks configuration settings on the operating system, including DEP, address space layout randomization (ASLR) and structured exception handling overwrite protection (SEHOP). The second piece has to do with "certificate pinning," which verifies the root certificate authority. The third piece to EMET is the program's actual mitigations based on software profiles.

EMET typically gets installed on client machines. It inserts an application compatibility framework within apps, Falde explained, in the podcast. It has a "negligible" overhead effect on system resources, consuming some CPU cycles and extra memory, he added.

EMET brings the risk of application compatibility problems, so IT pros may have to tinker with it, although Falde suggested in the podcast that EMET was good enough for home use as well.

Application compatibility is specifically listed as a risk of using EMET by Microsoft.

"The security mitigation technologies that EMET uses have an application-compatibility risk," Microsoft's EMET FAQ states. "Some applications rely on exactly the behavior that the mitigations block."

Falde recommended running a pilot test of EMET. An IT pro should test EMET with all of the organization's apps first before running it in a production environment. EMET has an advantage over antimalware software in being capable of catching zero-day exploits. Falde said that EMET provided valid protection against four of five zero-day threats in Microsoft's 2012 statistics.

Featured

  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.