Microsoft Releases EMET 5.0 Tech Preview

Microsoft’s Enhanced Mitigation Experience Toolkit might not provide complete protection against malware, but it certainly is a valuable tool for dealing with malware problems …

One of the programs that I install instantly after setting up a new PC with Windows is Microsoft’s Enhanced Mitigation Experience Toolkit EMET. The program adds another layer of defense to the operating system and springs to action when malware is executed on the system. It can mitigate attacks so that they are not successful at all or reduced in scope.

It should be clear that this is not a 100% protection against malware, but it does add a level of protection to the system that can be quite useful if attackers do not target EMET directly as well.

Microsoft has released a Tech Preview of EMET 5.0, the upcoming version of the Enhanced Mitigation Experience Toolkit.

EMET 5.0 introduces two new mitigations to the 12 security mitigations of version 4.1 which improve the defensive capabilities of the program further.

Attack Surface Reduction (ASR)

ASR has been designed to block certain plugins from being loaded from within applications. You can configure applications in EMET to block the loading of plugins automatically. Basic examples are to block the execution of Flash code in Microsoft Word, or Internet Explorer from loading the Java plugin on Internet Zone websites while allowing it to be loaded on Intranet Zone websites.

EMET 5.0 Technical Preview is configured by default to block certain plug-ins from being loaded in Internet Explorer, Microsoft Word and Excel.

attack surface reduction

The list of blocked modules and the security zones the modules are allowed to be loaded are defined in the Windows Registry.

HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_modules = “…”
HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_zones = “…”

The module flash*.ocx is blocked from loading in winword.exe and excel.exe, while the modules npjpi*.dll;jp2iexp.dll;vgx.dll;flash*.ocx are blocked from being loaded in Internet Explorer on Local, Internet and Untrusted Zone websites.

You can add or remove module, or modify zones for these three programs or for other programs that you have added to eMET.

Export Address Table Filtering Plus (EAF+)

emet-protection

New capabilities have been added to the existing EAF functionality.  EAF+ adds the following safeguards when enabled:

  • Add protection for KERNELBASE exports in addition to the existing NTDLL.DLL and KERNEL32.DLL
  • Perform additional integrity checks on stack registers and stack limits when export tables are read from certain lower-level modules
  • Prevent memory read operations on protected export tables when they originate from suspicious modules that may reveal memory corruption bugs used as “read primitives” for memory probing

EAF+ is enabled by default. You can disable the feature with a click on Apps in the EMET interface and a click on the EAF+ box under mitigation settings in the ribbon.

Other improvements

The Deep Hooks mitigation setting is enabled in the technical preview of EMET. The feature was disabled by default previously due to third-party application incompatibilities.

These compatibility issues appear to have been resolved according to Microsoft, which is why Deep Hooks is enabled by default now.

Note that this is only the case for the Technical Preview, and that Microsoft will evaluate this during the preview phase. It is theoretically possible that EMET 5.0 final will ship with it disabled again depending on the outcome.

In addition, several compatibility issues were fixed including one involving Adobe Reader and the “MemProt” mitigation.

Download

If you are interested in running the EMET 5.0 Technical Preview, visit the official website of the program to download it. You find the download link in the right sidebar section on the homepage.

Here you can also download the updated guide that walks you through all the features and settings of the application.

Link to Original Content

Tags: , , ,

Comments are closed.