What’s New in Microsoft EMET 5.2
In this Ask the Admin, I’ll run through the new features in Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET).
Last week Microsoft released an update to its Enhanced Mitigation Experience Toolkit, a tool used by organizations to provide additional protection to critical line-of-business apps against zero-day attacks. In the latest update to the toolkit, which can be downloaded here, Microsoft has added support for a new feature in Visual Studio 2015 that allows developers to strengthen binaries against hackers exploiting indirect-calls by calling invalid targets, a mitigation against recently observed so-called VBScript God Mode attacks, and finally support for Modern IE in Windows 8.1 and desktop IE with Enhanced Mode enabled.
Control Flow Guard
Microsoft has recompiled EMET using Visual Studio 2015’s Control Flow Guard technology, which is supported in Windows 8.1 Update 3 and Windows 10. While EMET is unable to add the protection Control Flow Guard provides to your business app binaries, EMET itself is protected by the technology, making it harder to circumvent the protections it provides. Microsoft recommends that you recompile your business apps using Visual Studio 2015 using Control Flow Guard.
By adding extra data to an app’s binaries at compile time, containing information about any location in memory that an indirect-call might reach in the case of a buffer overflow attack, i.e. when an attacker purposefully tries to break out of an area reserved to hold input by supplying more data than expected, Control Flow Guard can stop these types of attacks in their tracks.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
This kind of protection is necessary, because no matter how well a programmer checks their code for issues that might lead to a buffer overflow, it’s impossible to guarantee that every potential problem area in the code can be identified.
VBScript God Mode
VBScript is blocked when Enhanced Protected Mode is turned on in Internet Explorer, but because it might cause compatibility problems with some websites and add-ons, Enhanced Protected Mode is not enabled out-of-the-box. If you’re not able to turn on Enhanced Protected Mode, which can be found in the Internet Options Control Panel applet on the Advanced tab under Security, then EMET can help protect you in the latest update.
Unlike the local shell, use of VBScript is restricted in the browser by default according to some simple flags that can be easily modified to enable VBScript God Mode, allowing an attacker to work unrestricted.
Support for Modern IE and Enhanced Protected Mode
Last but not least, EMET now includes support for reporting from Modern IE in Windows 8.1, which is important especially for tablet users, and when Enhanced Protected Mode is turned on in the desktop version of Internet Explorer.
Introduced in IE10, Enhanced Protected Mode provides a safer browsing experience by forcing the use of 64-bit processes on 64-bit versions of Windows, making Address Space Layout Randomization (ASLR) memory protection more effective; and heap spray attacks, where an attacker attempts to fill up all the available memory, impractical due to the large 64-bit address space.
Enhanced Protected Mode uses a broker process to provide IE with access to personal information, such as personal files when you click Open in a file dialog for example. This ensures that IE is given access only when a user explicitly allows it, rather than all of the time.
Finally, there are several protections for domain-joined PCs. Tabs where Internet pages are loaded are blocked from accessing a user’s domain credentials and connecting to local intranet servers. Additionally, tabs cannot operate as local webservers, making it harder for an attacker to impersonate an intranet site.