Microsoft understands, though, that many businesses can’t just jump on the latest software every time there is a new release. Microsoft also recognizes that third-party vendors may drop the ball on some areas of application security. So, Microsoft developed EMET–Enhanced MItigation Experience Toolkit–to give IT admins the tools to apply modern security controls and attack mitigation to legacy operating systems and applications.
Recently, Microsoft rolled out a new release of EMET. A Microsoft Security Research & Defense blog post describes what’s new:
EMET is an officially-supported product through the online forum “Bottom-up Rand” new mitigation randomizes (8 bits of entropy) the base address of bottom-up allocations (including heaps, stacks, and other memory allocations) once EMET has enabled this mitigation. Export Address Filtering is now available for 64 bit processes. EAF filters all accesses to the Export Address Table which blocks most of the existing shellcodes Improved command line support for enterprise deployment and configuration Ability to export/import EMET settings Improved SEHOP (structured exception handler overwrite protection) mitigation Minor bug fixes
Microsoft was quick to point out, however, that the Flash Player attack would not work on Excel 2010. A Microsoft Security Research & Defense blog post explains, “The current attacks do not bypass the Data Execution Prevention security mitigation (DEP). Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application. In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process.”
Fair enough. Office 2010 provides better security than previous versions of Office, and the 64-bit version of Office 2010 is even more secure still. Many organizations still rely on Office 2007 or earlier releases, though–so are they just out of luck?
Fortunately, Microsoft provides a better solution than simply suggesting that everyone upgrade to Office 2010. Microsoft offers a tool called the Enhanced Mitigation Experience Toolkit–or EMET. The tool is basically designed to let you implement mitigations to better protect older software that does not have the benefit of the security controls found in current products.
The Microsoft blog post says, “Turning on EMET for the core Office applications will enable a number of security protections called security mitigations. The exploits we’ve seen so far are broken by three of these mitigations: DEP, Export Address Table Access filtering (EAF), and HeapSpray pre-allocation. EMET is of value even to Microsoft Office 2010 as it has the first of the three enabled by default, but does not have the second or third ones.”
I highly suggest you download EMET and take a look at what it can do for you. It can help with newer software, but for legacy software it is a must-have.]]>