Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft’s EMET Protects Apps Better Than Windows 10, Researcher Says

While packed with a load of new security features, Window 10 doesn’t offer some of the additional protections that Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) brings, CERT vulnerability analyst Will Dormann warns.

While packed with a load of new security features, Window 10 doesn’t offer some of the additional protections that Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) brings, CERT vulnerability analyst Will Dormann warns.

Released in 2009, EMET was meant to provide mitigation against certain zero-day software vulnerabilities, filling a gap created by the release of major Windows versions 3-4 years after one another.

Although the tool helped interrupt and disrupt many exploits before patches were released, Microsoft now feels that EMET can no longer do its job properly, and says that its lack of integration with the operating system is its main limitation. What’s more, the tech company says that the utility wasn’t created to offer real durable protection over time and that Windows 10 packs all of the necessary protections to render the tool useless.

With that mindset, Microsoft recently announced that EMET will be retired on July 31, 2018, after it pushed back the date following customer feedback. Previously, the company was planning EMET’s retirement for Jan. 27, 2017.

CERT’s Will Dormann, however, claims that Microsoft should keep EMET alive, as this is “still an important tool to help prevent exploitation of vulnerabilities.” According to him, version 5.51 of the tool provides both system-wide protection and application-specific mitigations that continue to make it relevant even on Windows 10 systems.

The application-specific protection offered by EMET makes all the difference, he explains. While both a stock Windows installation and one with EMET properly configured offer about the same level of system-wide mitigations, a Windows installation without EMET is virtually unprotected when application-specific mitigations are considered, as the table to the right shows.

“It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured. Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system,” Dormann says.

According to him, Microsoft’s claim that Windows 10 makes EMET irrelevant is fiction, mainly because it overlooks the primary reason for someone to run the tool: because it can apply all of the available exploit mitigations to all applications. This doesn’t happen through the underlying Windows platform even if the operating system offers support for the mitigation, the researcher explains.

Advertisement. Scroll to continue reading.

Because developers adopt exploit mitigations at a slow rate, EMET with application-specific mitigations enabled is the only protection available. Even Microsoft doesn’t “compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR,” meaning that an attacker could work around ASLR to load a non-DYNAMICBASE library into the process space of the vulnerable application and could exploit a memory corruption vulnerability, the researcher explains.

“Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it’s not true is that Windows 10 does not provide the application-specific mitigations that EMET does,” Dormann notes.

While Windows 10 does provide some exploit mitigations, Dormann explains, the applications have been be specifically compiled to take advantage of them. Thus, if an application isn’t built to take advantage of the mitigation, it doesn’t matter if the underlying operating system supports that mitigation or not.

The researcher also notes that, while EMET will reach its end-of-life (EOL) on July 31, 2018, the application will likely continue to work as before, only without assistance from Microsoft. Software currently outside of the support window should be tested so that EMET could provide protection against zero-days. Vulnerabilities in products outside of their support cycle become “forever-days,” because they will never be fixed, the researcher also says.

In Dormann’s opinion, both an upgrade to Windows 10 for exploit mitigation and installing EMET with application-specific mitigations configured are recommended actions. Without the utility, system-wide mitigations of DEP and ASLR can be applied, but Windows 10 can’t cover all of the mitigations admins using EMET have come to rely on. The tool, he says, can provide protection against both zero-days in supported software and forever-days in unsupported software.

Related: Microsoft Delays Retirement of EMET

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.