Microsoft EMET

[Swift Forensics]

Interesting new tool from MS:

Download EMET 4.0 Beta from Official Microsoft Download Center:
http://www.microsoft.com/en-us/download/details.aspx?id=38761

The enhanced Mitigation Experience Toolkit (EMET) is designed to help 
prevent hackers from gaining access to your system. The new EMET 4.0 
(Beta) features provides a preview on what’s in store for the final 
version. Please note that this is a "Beta" release. It is not ready for 
wide enterprise deployment. The latest official EMET release, EMET V3, 
is ready for enterprise deployment.
Below is a summary of the features and changes that are included with 
the EMET 4.0 Beta release:• Certificate Trust: considering the raise of 
PKI-related attacks, we decided to implement a configurable SSL 
Certificate Pinning to try to detect Man in the Middle attacks that 
leverage SSL/TLS certificates. The Certificate Trust feature in EMET is 
rule-based and allows to pin a specific SSL/TLS certificate to a trusted 
Root Certificate Authority;• ROP mitigations and hardening: in the last 
Technical Preview release of EMET, we introduced some mitigations to try 
to stop ROP-based attacks by implementing some of the winner ideas of 
the BlueHat Prize contest. With this new EMET release we hardened the 
ROP and other mitigations to detect and stop novel attack techniques. 
For example EMET 4.0 beta is able to stop one ASLR/DEP bypass technique 
presented at this year’s CanSecWest;• Early Warning Program: this 
feature will allow EMET to send contextual data back to Microsoft, 
through the standard Windows Error Reporting channel, every time that an 
exploit has been detected and stopped. We are adding this feature to 
help us respond to new 0day exploits as soon as possible.• Audit mode: 
if an exploit is detected, EMET will not kill the attacked process but 
it will just report the attack and let the process continue. This mode 
is only applicable to certain mitigations, for example the ROP-related 
ones, that detect the attack when the process is not already in a 
crashed state. This feature is useful for enterprise customers for 
testing purposes and to spot false-positives and app-compat problems 
without compromising the user experience; EMET 4.0 beta also includes 
several bug fixes and UI changes to improve the overall user experience. 
Also, at the end of the installation, EMET will automatically import 
settings to protect Internet Explorer, Microsoft Office, Adobe 
Acrobat/Reader, and Oracle Java, as well as a pre-defined set of rules 
for the Certificate Trust feature that will monitor the main Microsoft 
online services. More information are available in the User Guide, 
available in the EMET installation folder. Please remember that EMET 4.0 
requires .NET Framework 4, and in order to protect Internet Explorer 10 
on Windows 8 you need to install KB2790907 – a mandatory AppCompat 
update that has been released on March 12th.
Software vulnerabilities and exploits have become an everyday part of 
life. Virtually every product has to deal with them and consequently, 
users are faced with a stream of security updates. For users who get 
attacked before the latest updates have been applied or who get attacked 
before an update is even available, the results can be devastating: 
malware, loss of PII, etc.

Security mitigation technologies are designed to make it more difficult 
for an attacker to exploit vulnerabilities in a given piece of software. 
EMET allows users to manage these technologies on their system and 
provides several unique benefits:

1. *No source code needed:* Until now, several of the available 
mitigations (such as Data Execution Prevention) have required for an 
application to be manually opted in and recompiled. EMET changes this by 
allowing a user to opt in applications without recompilation. This is 
especially handy for deploying mitigations on software that was written 
before the mitigations were available and when source code is not 
available.

2. *Highly configurable:* EMET provides a higher degree of granularity 
by allowing mitigations to be individually applied on a per process 
basis. There is no need to enable an entire product or suite of 
applications. This is helpful in situations where a process is not 
compatible with a particular mitigation technology. When that happens, a 
user can simply turn that mitigation off for that process.

3. *Helps harden legacy applications:* It’s not uncommon to have a hard 
dependency on old legacy software that cannot easily be rewritten and 
needs to be phased out slowly. Unfortunately, this can easily pose a 
security risk as legacy software is notorious for having security 
vulnerabilities. While the real solution to this is migrating away from 
the legacy software, EMET can help manage the risk while this is 
occurring by making it harder to hackers to exploit vulnerabilities in 
the legacy software.

4. *Ease of use:* The policy for system wide mitigations can be seen and 
configured with EMET's graphical user interface. There is no need to 
locate up and decipher registry keys or run platform dependent 
utilities. With EMET you can adjust setting with a single consistent 
interface regardless of the underlying platform.

5. *Ease of deploy:* EMET comes with built-in support for enterprise 
deployment and configuration technologies. This enables administrators 
to use Group Policy or System Center Configuration Manager to deploy, 
configure and monitor EMET installations across the enterprise environment.

6. *Ongoing improvement:* EMET is a living tool designed to be updated 
as new mitigation technologies become available. This provides a chance 
for users to try out and benefit from cutting edge mitigations. The 
release cycle for EMET is also not tied to any product. EMET updates can 
be made dynamically as soon as new mitigations are ready

The toolkit includes several pseudo mitigation technologies aimed at 
disrupting current exploit techniques. These pseudo mitigations are not 
robust enough to stop future exploit techniques, but can help prevent 
users from being compromised by many of the exploits currently in use. 
The mitigations are also designed so that they can be easily updated as 
attackers start using new exploit techniques.

--

Yogesh Khatri
www.swiftforensics.com