Microsoft testing EMET’s new protection mechanisms
Just as researchers made public their successful attempt of creating attack code for bypassing the protections of the latest version of Microsoft’s Enhanced Mitigation Experience Toolkit (v4.1), the Redmond giant has announced the preview release of EMET 5.0.
“EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and can help protect the computer by diverting, terminating, blocking and invalidating those actions and techniques. In recent 0-days, it has been an effective mitigation against memory corruption,” Chris Betz, senior director of the Microsoft Security Response Center in the Trustworthy Computing Group at Microsoft explained in a blog post.
Developers from the company’s EMET engineering team are currently demonstrating both the old and this new version of the security software at the RSA Conference currently taking place in San Francisco. They are also calling on users to test out the release and offer feedback on the new features and enhancements.
Two new protection features introduced in EMET 5.0 Technical Preview – on top of the 12 built-in security migrations included in version 4.1. – are the Attack Surface Reduction (ASR) and the Export Address Table Filtering Plus (EAF+).
As the name itself says, Attack Surface Reduction aims to reduce the attack surface of applications.
“It can be used as a mechanism to block the usage of a specific modules or plug-ins within an application,” the team explains. “For example, you can configure EMET to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of security zones, you can use EMET to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.
The Adobe Flash Player and Java plug-ins are not the only ones you can block – the feature allows the user to configure it to his or her preference, both when it comes to plug-ins and security zones.
“EAF+ consolidates protection of lower-level modules and prevents certain exploitation techniques used to build dynamic ROP gadgets in memory from export tables,” they further explained.
The feature offers a number of additional safeguards such as additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules, and the prevention of memory read operations on protected export tables when they originate from suspicious modules.
Additional hardening and default mitigation settings are also included and will be evaluated for inclusion in the final version.