
close
close
In this Ask the Admin, I’ll run through the new features in Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET).
Last week Microsoft released an update to its Enhanced Mitigation Experience Toolkit, a tool used by organizations to provide additional protection to critical line-of-business apps against zero-day attacks. In the latest update to the toolkit, which can be downloaded here, Microsoft has added support for a new feature in Visual Studio 2015 that allows developers to strengthen binaries against hackers exploiting indirect-calls by calling invalid targets, a mitigation against recently observed so-called VBScript God Mode attacks, and finally support for Modern IE in Windows 8.1 and desktop IE with Enhanced Mode enabled.
advertisment
Microsoft has recompiled EMET using Visual Studio 2015’s Control Flow Guard technology, which is supported in Windows 8.1 Update 3 and Windows 10. While EMET is unable to add the protection Control Flow Guard provides to your business app binaries, EMET itself is protected by the technology, making it harder to circumvent the protections it provides. Microsoft recommends that you recompile your business apps using Visual Studio 2015 using Control Flow Guard.
Microsoft EMET 5.2 (Image Credit: Russell Smith)
By adding extra data to an app’s binaries at compile time, containing information about any location in memory that an indirect-call might reach in the case of a buffer overflow attack, i.e. when an attacker purposefully tries to break out of an area reserved to hold input by supplying more data than expected, Control Flow Guard can stop these types of attacks in their tracks.
This kind of protection is necessary, because no matter how well a programmer checks their code for issues that might lead to a buffer overflow, it’s impossible to guarantee that every potential problem area in the code can be identified.
VBScript is blocked when Enhanced Protected Mode is turned on in Internet Explorer, but because it might cause compatibility problems with some websites and add-ons, Enhanced Protected Mode is not enabled out-of-the-box. If you’re not able to turn on Enhanced Protected Mode, which can be found in the Internet Options Control Panel applet on the Advanced tab under Security, then EMET can help protect you in the latest update.
advertisment
Unlike the local shell, use of VBScript is restricted in the browser by default according to some simple flags that can be easily modified to enable VBScript God Mode, allowing an attacker to work unrestricted.
Last but not least, EMET now includes support for reporting from Modern IE in Windows 8.1, which is important especially for tablet users, and when Enhanced Protected Mode is turned on in the desktop version of Internet Explorer.
Introduced in IE10, Enhanced Protected Mode provides a safer browsing experience by forcing the use of 64-bit processes on 64-bit versions of Windows, making Address Space Layout Randomization (ASLR) memory protection more effective; and heap spray attacks, where an attacker attempts to fill up all the available memory, impractical due to the large 64-bit address space.
Enhanced Protected Mode uses a broker process to provide IE with access to personal information, such as personal files when you click Open in a file dialog for example. This ensures that IE is given access only when a user explicitly allows it, rather than all of the time.
advertisment
Finally, there are several protections for domain-joined PCs. Tabs where Internet pages are loaded are blocked from accessing a user’s domain credentials and connecting to local intranet servers. Additionally, tabs cannot operate as local webservers, making it harder for an attacker to impersonate an intranet site.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group