Microsoft shuffles Windows security deck with EMET 2.1

Microsoft just updated its security toolkit known as EMET, making it harder for hackers to get into your Windows systems. Use it with caution

Cursed by one of the worst acronyms in Microsoft's tongue-tied security arsenal, the latest version of EMET (Enhanced Mitigation Experience Toolkit) promises to shuffle the deck a little bit, making it harder for crackers to get into your Windows systems. But the additional security comes at a compatibility price.

A quick primer on Windows security technologies.

  • Data Execution Prevention (DEP) keeps programs from running in locations that should contain data -- it makes buffer overflow attacks considerably more difficult.
  • Address Space Layout Randomization (ASLR) shuffles pieces of programs around so that they're located in unpredictable portions of memory, making it harder for a rogue program to jump some place it shouldn't.
  • Structured Exception Handler Overwrite Protection (SEHOP) checks chains of interruptions -- exception handlers -- inside Windows to make sure they aren't hijacked, thereby making stack overflows more difficult.
  • Export Address Table Filtering (EAF) gets in the way of malware "shellcode" as it looks up Windows command locations.
  • Heap Spray Allocation (HSA) blocks attempts by well-known malware to "spray" itself into memory by pre-allocating favored locations.
  • Null Page Allocation (NPA) guards against a piece of malware running itself by taking over a "null" page -- a technique that's never been seen in the wild.
  • Bottom-Up Rand (BUR), new with EMET 2.1, adds a random offset to the base of stacks and heaps, making it harder than heck for hacks to hop in a heap. Ahem.

EMET enables DEP, ASLR, SEHOP, EAF, HSA, NPA, and BUR on PCs. A veritable acronym attack.

More precisely, right now, every Windows program comes with two bits that determine whether the program wants to run with DEP and/or ASLR. (I talked last July about a few surprising applications that didn't run DEP or ASLR.) EMET allows you to override the software manufacturer's choice and manually turn on DEP and/or ASLR for each specific application. In addition to turning on ASLR for an appliction, you can force ASLR shuffling on every DLL association with a specific application -- a technique known as "Mandatory ASLR." (ASLR won't work on XP or Server 2003.)

DEP and ASLR are very effective but not bulletproof; earlier this month, DEP and ASLR, working together, fell to a pwn attack by security firm Vupen.

SEHOP works, but it's easy to bypass, if the malware writer knows it'll be there. (SEHOP, too, won't work on XP or Server 2003.) Stefan Le Berre and Damien Cauquil at Sysdream IT Security Services have published a white paper on bypassing SEHOP.

EAF is fine-tuned to specific malware attacks and can be bypassed relatively easily, as described on the Skypher blog. Similarly, Heap Spray Allocation is designed to block currently known malware; it's not a broad-spectrum antibiotic.

NPA protects against an adversary that hasn't yet been seen. BUR is a very clever disorganizer that trips up several common heap-based attacks.

All of them can be turned on or off for every program on your PC. But this protection has a price, and that price is stability.

When Microsoft released EMET 2.0 last November, Google reported a complicated conflict between EMET and Chrome; and Adobe had problems between EMET, Reader and Acrobat. As Gregg Keizer reported at the time, Microsoft had to get a quick patch out the door.

Download EMET 2.1 from Microsoft's Download Center, but be sure you check for known compatibility issues on the Security TestCenter forum and test it thoroughly in your environment before deploying. There are corporate rollout concerns, as well, if you're thinking of deploying to a large number of users. If you have EMET 2.0, Microsoft says you can install EMET 2.1 on top of it, and all of your settings will be honored.

This article, "Microsoft shuffles Windows security deck with EMET 2.1," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies