Microsoft is gearing up to deliver the bits for the next generation of a free security tool focused on mitigations. The Enhanced Mitigation Experience Toolkit has evolved to version 2, but it is not available for download at this point in time. According to the Redmond company, EMET v2 will be offered for download in the coming weeks, although a specific availability deadline was not provided at this point in time.

Some customers might already be familiar with EMET, as Microsoft released version 1 in October 2009. The tool is designed to allow developers to easily built and deploy security mitigation to arbitrary applications in order to render useless and exploits targeting vulnerabilities in the apps. While EMET does not actually help patch the security flaws, it does deliver barriers/mitigations, more than capable of fending off any attacks. According to Microsoft, EMET would best be used by third-party developers building applications designed to run on top of Windows, as well as by those needing to bulletproof as much as possible legacy applications.

“EMET sparked customer interest and based on the feedback that we received, we decided to release version 2 that includes more mitigations, a better interface, and a more robust infrastructure compared to the earlier version of EMET. Our aim with this version is to provide an innovative solution that helps customers manage risk and minimize disruption in their environment,” revealed Andrew Roths and Fermin J. Serna, MSRC Engineering.

Roths and Serna also provided a list of all the mitigations built into EMET v2, along with a short description for each one:

Dynamic Data Execution Prevention (DEP) – DEP has been available since Windows XP. However, current configuration options don’t allow applications to be opted in on an individual basis unless they are compiled with a special flag. EMET allows applications compiled without that flag to also be opted. For more information on what DEP is and how it works, take a look at Part 1 and Part 2 of our two-part SRD blog post on it.

Structure Exception Handler Overwrite Protection (SEHOP) – This protects against currently the most common technique for exploiting stack overflows in Windows. This mitigation has shipped with Windows since Windows Vista SP1. Recently with Windows 7, the ability to turn it on and off per process was added. With EMET, we provide the Windows 7 capabilities on any platform back though Windows XP. For more information, take a look at the SEHOP Overview and Window 7 SEHOP Changes blog posts.

Heap Spray Allocation – When an exploit runs, it often cannot be sure of the address where its shellcode resides and must make a case when taking control of the instruction pointer. To increase the odds of success, most exploits now use heapspray techniques to place copies of their shellcode at as many memory locations as possible. This mitigation blocks the use of addresses most common in today’s exploits.

Null Page Allocation – This is similar technology to the heap spray allocation, but designed to prevent potential null dereference issues in usermode. Currently there are no known ways to exploit them and thus this is a defense in depth mitigation technology.

Export Address Table Access Filtering – This mitigation is designed to break nearly all shell code in use today. Before a piece of shellcode can do anything useful, it generally has to locate windows APIs first. This mitigation blocks a common current technique shellcode uses to do this.

Mandatory Address Space Layout Randomization (ASLR) – ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data at predictable locations. The problem with this is that all modules have to use a compile time flag to opt into this. With EMET, we force modules to be loaded at randomized addresses for a target process regardless of the flags it was compiled with.”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>