In association with heise online

03 September 2010, 14:43

Microsoft hardening tool with graphical user interface

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom EMET allows users to make some of the exploit protection features mandatory at system level or opt to limit them to specific applications.
Version 2.0 of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) offers easier access through a brand new graphical user interface (GUI) and supports new protective functions. EMET gives developers, administrators and users who are willing to experiment the ability to activate certain protective mechanisms in existing binaries, even if a program's source code isn't available.

EMET can prevent or mitigate various attack techniques. Microsoft's Structured Exception Handler Overwrite Protection (SEHOP) feature is designed to prevent (Structured) Exception Handlers (SEH) from being overwritten on the stack or in a data segment. This is in contrast to return addresses being overwritten via buffer overflows and involves attackers executing arbitrary code by redirecting function pointers.

EMET 2.0 is also designed to prevent null-page allocations that can be exploited in connection with null-pointer dereferences. Microsoft's tool also allows users to enable Dynamic DEP (DDEP) in applications. This allows the Data Execution Prevention feature to be enabled and disabled at run-time.

Compared to the previous version, the latest release includes new Address Space Layout Randomisation (ASLR) and the Export Address Table Access Filtering (EAF) features that prevent injected shell code from accessing certain APIs. However, if the settings are too strict, this can cause some applications to malfunction. The company freely admits in the documentation that some of the protective mechanisms can be bypassed. Microsoft has released a video tutorial for EMET 2.0 to explain the basics as well as the specifics of EMET's operation.

Zoom In case of compatibility issues, selected protective functions can be enabled for individual applications.
The toolkit is also designed to harden those applications against attacks that don't automatically use any of the exploit protection mechanisms available in modern versions of Windows. In early July, security firm Secunia had been criticical of the fact that many third-party applications use neither DEP nor ASLR although these mechanisms can make exploits less effective.

This was also confirmed by independent security experts and exploit writers such as Charlie Miller, Jon Oberheide and Dino Dai Zovi in an interview with Dennis Fisher on Threatpost. The experts said that it is becoming increasingly difficult to exploit traditional security holes, and that the anti-exploit features are one of the reasons for this. Apparently, attackers increasingly need to use a multi-stage approach and also exploit logical flaws to be successful.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit