Microsoft integrates the new protection mechanisms into Windows via the application compatibility layer, which is actually there to allow older applications to be used in newer versions of Windows. To achieve this, on launching a supported application which is registered as such, Windows loads a 'shim DLL' which intercepts API calls and mimics the behaviour of a previous Windows version. The EMET library is appropriately called emet.dll.
The tool can be downloaded from the Microsoft website and requires the .NET 2.0 runtime environment – in our tests the tool did not accept a previously installed .NET 4.0. Installing the tool is self-explanatory, but it does not include a default configuration – users need to select applications and enter them in the list of programs to be protected.
Microsoft has added a GUI in version 2.0, allowing protective features to be added to an application with minimal mouse-work. The application's .exe file must be added to the list under 'Configure Apps' (see image gallery). The preselected protection options should, in most cases, be left activated. Where this causes an application to stop working correctly, some of these options may need to be deactivated – trial and error is the only way of identifying the appropriate setting. The ASLR option is not available in Windows XP, as address space randomisation was first introduced in Vista.
After adding an application, it may need to be restarted. It will then load the emet.dll library which implements the additional protective functions. The EMET GUI is required for configuration only and can then be closed, though it can be useful to check which applications are using EMET.
For a quick test of EMET's efficacy, we used the Metasploit exploit framework to generate a crafted demo PDF file which launched the calculator application when opened with an unpatched version of Adobe Reader. We then tested the crafted file with EMET installed.
The crafted PDF file was no longer able to launch the calculator and merely crashed Adobe Reader. Unfortunately, EMET does not offer us a facility for identifying which of its options prevented the Adobe Reader vulnerability from being exploited.
So far, so good. But regrettably, we were forced to conclude that we were still far from being properly protected from attacks originating from this PDF file. Adding the Adobe Reader binary to EMET offers zero protection against attacks on the Internet Explorer and Firefox plug-ins. And anyone who thinks that adding the plug-in files should be enough to thwart exploits is heading for disappointment. Adding the AcroPDF.dll ActiveX control and the nppdf32.dll Mozilla plug-ins to EMET does not prevent the calculator from being launched when the infected file is loaded in IE or Firefox.
Even after adding plugin-container.exe, the container responsible for managing plug-ins in Firefox, to EMET, the evil calculator still pops up. Its relentless march is only halted by adding the browser files firefox.exe and iexplorer.exe to EMET – which, however, does also protects against problems caused by other vulnerable plug-ins.
EMET can be used to protect further applications. It makes sense to protect all applications which process data or files directly from the web – browsers, email clients, media players, office applications and all flavours of viewer. Company administrators can also generate scripts to add programs to EMET using the emet_conf.exe command line tool. The tool could even be used to protect server applications from attacks. Initial tests by heise Security did not find any problems which could be traced back to activation of the security functions. Microsoft does, however, point out that some programs react badly to EMET.
Most of the protection mechanisms used by EMET can be circumvented by highly sophisticated exploits, but it means considerable extra work and testing for malware developers. We are not aware of any exploits in circulation at present which are able to overcome all of the hurdles which EMET places in front of them. Until there are, EMET represents an important contribution to protecting Windows systems.