Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Updates Enhanced Mitigation Experience Toolkit to Block Attacks Against Unfixed Vulnerabilities

Microsoft Releases Enhanced Mitigation Experience Toolkit (EMET) 2.0

Announced at the Black Hat 2010 conference in July, Microsoft’s updated Enhanced Mitigation Experience Toolkit (EMET) 2.0 has been released and is now available for download.

Microsoft Releases Enhanced Mitigation Experience Toolkit (EMET) 2.0

Announced at the Black Hat 2010 conference in July, Microsoft’s updated Enhanced Mitigation Experience Toolkit (EMET) 2.0 has been released and is now available for download.

EMET is specifically designed to block targeted attacks against unfixed vulnerabilities. The toolkit is free and helps improve the security of applications without having to recode them. Developers and IT security professionals are able to add new and existing security mitigation technologies to software in order to help protect against exploitation of vulnerabilities. All mitigations can be applied on a per-application basis with customized settings, allowing developers to bring newer security mitigations to older applications.

Microsoft EMET 2.0 Screenshot

EMET 2.0 allows users to both configure the system policy for mitigations as well as to configure mitigations on a per executable basis. The first option allows the user to set the defaults for system supported mitigations; for instance choosing whether one should be enabled for all processes, enabled for only those that chose to opt in, disabled entirely etc.

The tool supports both 32- and 64-bit applications and has been updated with a new unified graphical user interface that shows running processes and whether EMET is currently active for them. Two new mitigations have been added — mandatory ASLR and EAT address filtering. Version 2.0 now includes support for viewing and setting systemwide mitigation settings.

It adds the following mitigations to applications that do not support them natively:

• Structured Error Handling Overwrite Protection (SEHOP) prevents Structured Exception Handling (SEH) overwrite exploitation by performing SEH chain validation.

• Dynamic Data Execution Prevention marks portions of a process’s memory non-executable, making it difficult to exploit memory corruption vulnerabilities.

• NULL page allocation allocates the first page of memory before program initialization and blocks attackers from taking advantage of NULL references in user mode.

• Heap Spray Allocation pre-allocates memory addresses to block common attacks that fill a process’s heap with specially crafted content.

• New in EMET 2.0 is mandatory address space layout randomization (ASLR), as well as non-ASLR-aware modules on Windows Vista, Windows Server 2008 and Windows 7.

• Also new in EMET 2.0, export address table (EAT) uses hardware breakpoints to filter access to the EAT of kernel32.dll and ntdll.dll, blocks access if the instruction pointer is not inside a module, and breaks current common metasploit shellcodes.

Microsoft warns that some security mitigation technologies may break applications and reminds users that it’s important to thoroughly test EMET in all target use scenarios before rolling it out to a production environment.

You can download EMET 2.0 here.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...