Microsoft fixes enterprise security tool after Google reports Chrome problems

Microsoft tweaks EMET to address hitches in Chrome, Adobe Reader updates

Microsoft on Wednesday patched an enterprise security tool that had blocked some copies of Chrome from updating.

The Enhanced Mitigation Experience Toolkit (EMET) "may have potential issues with the update functionality" of Google's Chrome and Adobe's Reader and Acrobat, Microsoft said.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

EMET, a tool designed for enterprise IT, lets users manually enable important anti-exploit defenses in Windows like DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications. It's often used to boost the security of older programs.

Microsoft also relies on EMET as a stop-gap in the face of active attacks. For example, in September Microsoft told Reader and Acrobat users to run the tool to fend off exploits some experts had called "scary."

Google noted the problem with Chrome on Tuesday in a blog post by a pair of its software engineers, who said EMET interfered with the browser's security and thwarted its usual silent updates.

Those engineers also argued that EMET was unnecessary. "Because Chrome already uses many of the same techniques (and more), EMET does not provide any additional protection," they wrote.

On Wednesday, Microsoft denied that EMET 2.0 monkeyed with Chrome's security.

"The issue affects only update mechanisms and has no security impact on any third-party products," said Dave Forstrom, a spokesman for the Microsoft Security Response Center (MSRC), in an e-mail reply to questions.

In Microsoft's explanation of the EMET compatibility glitch, engineers at MSRC said Adobe and Acrobat users who had configured the tool had been required to reboot their Windows PCs to finalize updates. Normally, Reader and Acrobat updates take effect after the programs have been relaunched and no reboot is necessary.

Chrome's situation was more complicated, the MSRC engineers said.

"This issue may affect machines with multiple users running Chrome at the same time with each instance configured for use with EMET," they explained. "If one of those instances is running as an admin [account], it will block the other running instances from self-updating."

Microsoft updated EMET to version 2.0.0.3 to solve the problems, and urged affected users to download and deploy the update.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

Read more about browsers in Computerworld's Browsers Topic Center.

This story, "Microsoft fixes enterprise security tool after Google reports Chrome problems" was originally published by Computerworld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies