Microsoft used the annual security extravaganza known as the RSA Conference to take the wraps off a technical preview of the latest version of their Enhanced Mitigation Experience Toolkit (EMET). We’ve written a bit about EMET already here at the Petri IT Knowledgebase, so you can also check out Russell Smith’s post about securing legacy applications on Windows Server 2012 R2 and Windows 8.1 using EMET 4.1 for some real-world applications of the current version (4.1) of the EMET tool.
If you don’t know EMET from Emmet — the star of The LEGO Movie — here’s a quick refresher. EMET is a free software tool that system administrators (and security professionals) can use to help provide additional protection for the software in your IT environment. Microsoft Security Program Manager Gerardo Di Giacomo described EMET in more detail in a blog post on Technet:
“[EMET] helps prevent memory corruption vulnerabilities in software from being successfully exploited for code execution. It does so by opting in software to the latest security mitigation techniques. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update is not available or has not yet been applied.”
Giacomo also explains in his post that EMET works with all modern Windows OSes, including Windows XP, Windows Vista, Windows 7, and Windows 8. EMET also can be used with existing tools that admins use to deploy, configure, and monitor their IT environments.
What Microsoft announced at the RSA Conference this week is a technical preview for EMET 5.0 that adds a number of new features to this popular free tool, namely export address table filtering plus (EAF+) and Attack Surface Reduction (ASR). Microsoft is demonstrating EMET 5.0 at the is booth (# 3005) at RSA Conference 2014 in San Francisco this week, but everyone can now download the EMET 5.0 technical preview from the EMET website on Technet.
To get more details on what EMET 5.0 is all about, I sat down with Jonathan Ness — Microsoft’s Principal Security Development Manager for EMET — just before Microsoft released the news about the update. Ness elaborated on what system administrators and security professionals can expect from the new EAF+ and ASR features.
According to Ness, EAF+ helps EMET protect software by disrupting and defeating various exploits by adding additional protection to KERNELBASE exports and preventing memory read operations on protected export tables, to name just a few features. “These changes improve defenses against exploit activity,” Ness said.
A screenshot showing an exploit on Internet Explorer being blocked by the EMET 5.0 Technical Preview EAF+ feature. (Source: Microsoft)
An ongoing concern for many security professionals is the frequently attacks against widely-deployed third-party software like Adobe Flash and Oracle Java. There have been dozens (if not hundreds) of exploits targeted on these two technologies alone, and Ness said that Microsoft wanted to give administrators even more help with securing their IT environments when required business apps needed those technologies to run properly.
Ness says that ASR is specifically designed to help mitigate the risk from those threats by blocking the use of specific technologies within an application. “You can configure EMET to allow use of security zones to prevent Internet Explorer from loading Java when users access public websites,” Ness said. “And then enable that use when the user is accessing applications on the company Intranet that require the use of Java.”
So do you currently use Microsoft’s EMET tool in your own IT environment? If so, I’d love to hear from you. Drop me an email with a photo, or touch base with me on Twitter, Google+, or Facebook (see below).