Security Experts:

Microsoft EMET 5.1 Brings Improved Security and Compatibility

Microsoft Releases EMET 5.1

The new version of the Enhanced Mitigation Experience Toolkit (EMET) released by Microsoft on Monday brings improved protection and addresses several application compatibility issues.

According to Microsoft, EMET 5.1 resolves a race condition in the Mandatory ASLR mitigation, fixes a flaw that caused some mitigations to stop working when EAF is disabled, and addresses errors occurring when EMET is not installed in the default folder.

The latest version of the security tool also enables the EMET service to log EMET configuration when the service is started, Microsoft said.

EMET has been bypassed and disarmed on several occasions by researchers. In late September, researchers at Offensive Security presented a method that can be used to disarm EMET 5.0. Last month, SEC Consult Vulnerability Lab reported that one of its experts, René Freingruber, had found "numerous methods to get around the basic protection mechanisms of EMET."

"There is no one tool capable of preventing all attacks. EMET is designed to make it more difficult, expensive and time consuming, and therefore less likely, for attackers to exploit a system," a Microsoft spokesperson told SecurityWeek via email.

However, the release notes for EMET 5.1 show that the latest version "improves and hardens several mitigations to make them more resilient to attacks and bypasses." The company has thanked René Freingruber of SEC Consult and members of the System Security Lab at the Technical University Darmstadt/CASED in Germany for their assistance.

SecurityWeek reached out to experts from Offensive Security to see if their attack method still works, but researchers said they haven't had the chance to test EMET 5.1.

Several compatibility issues affecting EMET 5.0 have been addressed by Microsoft. The list includes compatibility problems between Certificate Trust and the 64-bit variant of Internet Explorer, and between EAF+ and applications like Adobe Reader, Mozilla Firefox, Adobe Flash and Internet Explorer. Compatibility issues also impact the Manage Add-ons feature and the Internet Explorer Developer Tools.

EAF mitigations have also been improved to address several compatibility problems.

"If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation. Alternatively, you can temporarily disable EAF+ on EMET 5.0. Details on how to disable the EAF+ mitigation are available in the User Guide," the EMET Team wrote in a blog post.

Configuration and deployment improvements have also been made in EMET 5.1, including the addition of a default configuration for EAF+ for Chrome and Java 8, and a "Local Telemetry" feature that allows users to save memory dumps on the disk when a mitigation is triggered.

Another bug addressed with the release of EMET 5.1 is related to the Group Policy settings which, according to Microsoft, were not applied correctly in some circumstances.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.