While packed with a load of new security features, Window 10 doesn’t offer some of the additional protections that Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) brings, CERT vulnerability analyst Will Dormann warns.
Released in 2009, EMET was meant to provide mitigation against certain zero-day software vulnerabilities, filling a gap created by the release of major Windows versions 3-4 years after one another.
Although the tool helped interrupt and disrupt many exploits before patches were released, Microsoft now feels that EMET can no longer do its job properly, and says that its lack of integration with the operating system is its main limitation. What’s more, the tech company says that the utility wasn’t created to offer real durable protection over time and that Windows 10 packs all of the necessary protections to render the tool useless.
With that mindset, Microsoft recently announced that EMET will be retired on July 31, 2018, after it pushed back the date following customer feedback. Previously, the company was planning EMET’s retirement for Jan. 27, 2017.
CERT’s Will Dormann, however, claims that Microsoft should keep EMET alive, as this is “still an important tool to help prevent exploitation of vulnerabilities.” According to him, version 5.51 of the tool provides both system-wide protection and application-specific mitigations that continue to make it relevant even on Windows 10 systems.
The application-specific protection offered by EMET makes all the difference, he explains. While both a stock Windows installation and one with EMET properly configured offer about the same level of system-wide mitigations, a Windows installation without EMET is virtually unprotected when application-specific mitigations are considered, as the table to the right shows.
“It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured. Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system,” Dormann says.
According to him, Microsoft’s claim that Windows 10 makes EMET irrelevant is fiction, mainly because it overlooks the primary reason for someone to run the tool: because it can apply all of the available exploit mitigations to all applications. This doesn’t happen through the underlying Windows platform even if the operating system offers support for the mitigation, the researcher explains.
Because developers adopt exploit mitigations at a slow rate, EMET with application-specific mitigations enabled is the only protection available. Even Microsoft doesn’t “compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR,” meaning that an attacker could work around ASLR to load a non-DYNAMICBASE library into the process space of the vulnerable application and could exploit a memory corruption vulnerability, the researcher explains.
“Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it’s not true is that Windows 10 does not provide the application-specific mitigations that EMET does,” Dormann notes.
While Windows 10 does provide some exploit mitigations, Dormann explains, the applications have been be specifically compiled to take advantage of them. Thus, if an application isn’t built to take advantage of the mitigation, it doesn’t matter if the underlying operating system supports that mitigation or not.
The researcher also notes that, while EMET will reach its end-of-life (EOL) on July 31, 2018, the application will likely continue to work as before, only without assistance from Microsoft. Software currently outside of the support window should be tested so that EMET could provide protection against zero-days. Vulnerabilities in products outside of their support cycle become “forever-days,” because they will never be fixed, the researcher also says.
In Dormann’s opinion, both an upgrade to Windows 10 for exploit mitigation and installing EMET with application-specific mitigations configured are recommended actions. Without the utility, system-wide mitigations of DEP and ASLR can be applied, but Windows 10 can’t cover all of the mitigations admins using EMET have come to rely on. The tool, he says, can provide protection against both zero-days in supported software and forever-days in unsupported software.
Related: Microsoft Delays Retirement of EMET