Microsoft launched the technical preview of the latest version of its free enhanced mitigation experience toolkit (EMET) at RSA Conference 2014 in San Francisco.
First introduced in late 2009, EMET’s mission is to help enterprises block targeted attacks against Zero Day vulnerabilities in older Microsoft platforms and third-party or line-of-business applications.
“We want security researchers and IT pros to try it out and give us feedback to make it better before we release version 5.0 later this year,” said Jonathan Ness, principal security development manager at Microsoft Trustworthy Computing.
Just this past week, researchers said it was possible for attackers to bypass EMET, which protects non-kernel Microsoft applications and third-party software.
“EMET adds special protections (for 32bit processes only) against a relatively new hacker technique known as ROP (return oriented programming),” security firm Bromium Labs’ Jared DeMott said.
“ROP based exploitation has been rampant in malware to bypass the ALSR+DEP protections. Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques. EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1. And thus, EMET particularly excels for older platforms like Windows XP.”
Like any other software, EMET has its limitations, and researchers wanted to see whether it is capable of deflecting customized attacks.
Bromium researchers, who worked with Microsoft on this research, have created attack code exploiting an old (and patched) use-after-free Internet Explorer bug (CVE-2012-4969) to bypass all of 12 EMET’s protections.
Version 5.0 adds two new protections for enterprises on top of the 12 built-in security mitigations included in version 4.1.
First, an attack surface reduction mitigation helps enterprises protect third-party and custom-built applications by selectively enabling Java, Adobe Flash Player and Microsoft or third-party plugins.
“Enterprises can configure Java to load on the intranet for line-of-business applications but not on the Internet,” Ness said.
“Most businesses need Java only internally, but this opens them up to vulnerabilities on the Internet. EMET 5.0 enables enterprises to block Java where they do not need it,” he said.
Similarly, Adobe Flash Player can end up configured to work only in browsers but not in Microsoft Office products that can be a delivery mechanism for malware exploiting Flash vulnerabilities.
Second, EMET version 5.0 introduces enhancements to the existing export address table filtering (EAF) mitigation available in the current version 4.1 aimed at blocking shell code.
According to the EMET development team, EAF+ consolidates protection of lower-level modules and prevents certain exploitation techniques used to build dynamic return-oriented programming (ROP) gadgets in memory from export tables.
“The improved rules and heuristics can, for example, prevent Flash exploits used to bypass address space layout randomization (ASLR) and data execution prevention (DEP),” Ness said.
The EMET development team said when EAF+ ends up enabled, it will add safeguards over and above the existing EAF checks. These include:
• Protection for Kernelbase exports in addition to the existing NTDLL.DLL and Kernel32.DLL;
• Additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules;
• Prevention of memory read operations on protected export tables when they originate from suspicious modules that may reveal memory corruption bugs used as “read primitives” for memory probing.
These two enhancements improve EMET’s ability to divert, terminate, block or invalidate the most common actions and techniques attackers might use in compromising a computer.