The latest version of Microsoft’s freely available stopgap against zero-day exploits was released today with two new exploit mitigations and a batch of new configuration options.
The update to Microsoft’s Enhanced Mitigation Experience Tool kit, or EMET, comes six months after a technical preview of EMET 5.0 was released in February during the RSA Conference. It was then when Microsoft was touting new plug-in controls and memory protections, both of which have been rolled into EMET 5.0.
The first new mitigation is called Attack Surface Reduction (ASR). The mitigation allows Windows administrators to determine when—or if—plug-ins such as Java or Adobe Flash run at all on a Windows computer. Java and Flash, for example, have been favorite targets of hackers. Many advanced attacks exploit vulnerabilities in either platform, giving them an initial foothold on a system that can be then leveraged for further system and network access.
With ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet. They can also block Office applications, for example, from loading Flash in a Word or Excel document, but allow it in the browser.
“We heard from customers that they wanted more control over which programs and in which scenarios these plugins can be loaded. We initially released a Fix It tool last year to disable the Java plugin entirely in Internet Explorer and that helped people,” said Jonathan Ness, principal security development manager for the Microsoft Security Response Center. “But customers told us that they still needed Java for their line-of-business applications running on their local intranet and were looking for a way to block Java and other plugins from loading on the wider untrusted Internet.”
Microsoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming (ROP) exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.
The other new mitigation in EMET 5.0 is called Export Address Table Filtering Plus (EAF+), which introduces two new methods aimed at disrupting advanced attacks, Microsoft said.
“For example, EAF+ adds a new ‘page guard’ protection to help prevent memory read operations, commonly used as information leaks to build exploitations,” Microsoft said in a statement.
“It’s the way EMET blocks common exploit techniques, common shell code techniques. The engineers building EMET are the same engineers in the security response center that respond to attacks in the wild against our software and these guys are always studying new attack techniques that show up in real-world exploits,” Ness said. “EAF+ amplifies the scope and robustness of EAF. It blocks new kinds of exploit techniques by performing additional integrity checks and preventing certain memory read operations used as ‘read anywhere’ primitives in recent exploits.”
Microsoft has also tweaked the configuration options in EMET 5.0 allowing admins to further configure how mitigations protect applications in a particular IT environment.
“Users can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0,” Microsoft said. “We continue to provide smart defaults for many of the most common applications used by our customers.”
Microsoft said it has also simplified the way EMET configuration changes can be pushed via Group Policy in Active Directory.
“They will no longer need to refresh the EMET configuration on each host or wait for an application refresh to make configuration changes to all hosts via group policy,” Ness said. “Configuration changes will take effect right away with the addition of the EMET Service.”
Microsoft has also added new services that help users monitor logs for suspicious activity, and has added improvements to its Certificate Trust feature where users are able to establish settings that block users from visiting websites with untrusted digital certificates.
“All EMET users are going to benefit from the way we refactored many components of the EMET 5.0 engine to maximize application compatibility and reduce false positives, and from the work we did with popular anti-malware products to ensure application compatibility,” Ness said.