14 October 2013

IT Security with EMMET 4.0


What is the Enhanced Mitigation Experience Toolkit (EMMET)?

The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.

The new EMET 4.0 also provides a configurable SSL/TLS certificate pinning feature that is called Certificate Trust. This feature is intended to detect man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).

Are there restrictions as to the software that EMET can protect?

EMET can work together with any software, regardless of when it was written or by whom it was written. This includes software that is developed by Microsoft and software that is developed by other vendors. However, you should be aware that some software may not be compatible with EMET. For more information about compatibility, see the "Are there any risks in using EMET?" section.

What are the requirements for using EMET?

EMET 3.0 requires the Microsoft .NET Framework 2.0. EMET 4.0 requires the Microsoft .NET Framework 4.0. Additionally, for EMET to work with Internet Explorer 10 on Windows 8, KB2790907 must be installed.

Where can I download EMET?

To download EMET, go to the related Microsoft TechNet page:

Download emmet 4.0
The Enhanced Mitigation Experience Toolkit

How do I use EMET to protect my software?

After you install EMET, you must configure EMET to provide protection for a piece of software. This requires you to provide the name and location of the executable file that you want to protect. To do this, use one of the following methods:

Work with the Application Configuration feature of the graphical application.

Use the command prompt utility.

If you want to use the Certificate Trust feature that was released in EMET 4.0, you have to provide the list of the websites that you want to protect and certificate pinning rules that apply to those websites. To do this, you have to work with the Certificate Trust Configuration feature of the graphical application. Or, you can use the new Configuration Wizard. This enables you to automatically configure EMET with the recommended settings.

Note Instructions for how to use EMET are in the user's guide that is installed together with the toolkit.

How can I deploy EMET across the enterprise?

The easiest way to deploy the current version of EMET across an enterprise is by using enterprise deployment and configuration technologies. The current versions have built-in support for Group Policy and System Center Configuration Manager. For more information about how EMET supports these technologies, please refer to the EMET user's guide.

You can also deploy EMET by using the command prompt utility. To do this, follow these steps:

Install the .msi file on each destination computer. Or, put a copy of all the installed files on a network share.

Run the command prompt utility on each destination computer to configure EMET.

Are there any risks in using EMET?

The security mitigation technologies that EMET uses have an application-compatibility risk. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, you can individually enable and disable that specific mitigation. For more information, refer to the EMET user's guide.

What is the latest version of EMET?

A new version of EMET. EMMET 4.0 was made available on June 17, 2013. For more information about the latest version of EMET, go to the following TechNet website:

The Enhanced Mitigation Experience Toolkit

How can I get support for EMET?

Customers who are using EMET 3.0 or EMET 4.0 who have access to Microsoft Services Premier and Professional Support can receive fee-based advisory support through these channels. Customers who do not have Premier or Professional contracts can receive support through the following official support forum:

Enhanced Mitigation Experience Toolkit (EMET) Support

EMET is a free utility that helps prevent memory corruption vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation techniques. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an available update has not yet been applied.

The feature set for this new version of the tool was inspired by our desire for EMET to be an effective mitigation layer for a wider variety of potential software exploit scenarios, to provide stronger protections against scenarios where EMET protection already exists, and to have a way to respond to 0day exploits as soon as possible. Here are the highlights of the EMET 4.0 feature set:

  • EMET 4.0 detects attacks leveraging suspicious SSL/TLS certificates

  • EMET 4.0 strengthens existing mitigations and blocks known bypasses

  • EMET 4.0 addresses known application compatibility issues with EMET 3.0

  • EMET 4.0 enables an Early Warning Program for enterprise customers and for Microsoft

  • EMET 4.0 allows customers to test mitigations with "Audit Mode"

SSL/TLS Certificate Trust features

EMET 4.0 allows users to configure a set of certificate pinning rules to validate digitally signed certificates (SSL/TLS certificates) while browsing with Internet Explorer. This option allows users to configure a set of rules able to match specific domains (through their SSL/TLS certificates) with the corresponding known Root Certificate Authority (RootCA) that issued the certificate. When EMET detects the variation of the issuing RootCA for a specific SSL certificate configured for a domain, it will report this anomaly as an indicator of a potential man-in-the-middle attack.

Advanced users can also add exceptions for each pinning rule. This will allow EMET to accept SSL/TLS certificates even if the pinning rule doesn’t match. Exceptions are related to some properties of the RootCA certificate, such as key size, hashing algorithm, and issuer country.

Strengthened mitigations, blocking bypasses

Microsoft learned a great deal during the "Technical Preview" phase of EMET 3.5. They saw researchers poking and presenting clever tricks to bypass EMET’s anti-ROP mitigations. EMET 4.0 blocks these bypasses. For example, instead of hooking and protecting only functions at the kernel32!VirtualAlloc layer of the call stack, EMET 4.0 will additional hook lower level functions such as kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory. These "Deep Hooks" can be configured in EMET’s Advanced Configuration. Microsoft has seen exploits attempt to evade EMET hooks by executing a copy of the hooked function prologue and then jumping to the function past the prologue. With EMET 4.0’s "Anti detours" option enabled, common shellcode using this technique will be blocked. Finally, EMET 4.0 also includes a mechanism to block calls to banned API’s. For example, a recent presentation at CanSecWest 2013 presented a method of bypassing ASLR and DEP via ntdll!LdrHotPatchRoutine. EMET 4.0’s "Banned API" feature blocks this technique.

Application compatibility fixes

Users of previous versions of EMET had encountered isolated compatibility issues when enabling mitigations on both Microsoft and third party software. EMET 4.0 addresses all these known app-compat issues. That list includes issues in the following areas:

- Internet Explorer 9 and the Snipping Tool

- Internet Explorer 8’s Managed Add-ons dialog

- Office software through SharePoint

- Access 2010 with certain mitigations enabled

- Internet Explorer 10 on Windows 8

The EMET 4.0 installer also opts-in protection rules with certain mitigations disabled where Microsocft knows a mitigation interacts poorly with certain software. Examples include Photoshop, Office 2013’s Lync, GTalk, wmplayer, and Chrome.

Early Warning Program for enterprise customers and for Microsoft

When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. For enterprise customers collecting error reports via tools like Microsoft Desktop Optimization Package or the Client Monitoring feature of System Center Operations Manager, these error reports can be triaged locally and used as an early warning program indicating possible attacks against the corporate network. For organizations that typically send all error reports to Microsoft, this information will add to the set of indicators we use to hunt attacks in the wild, and will facilitate the remediation of issues with security updates before vulnerabilities become a large scale threat. The EMET Privacy Statement (available also via the main EMET window) includes more information about the type of data that will be sent in the error report via Microsoft Error Reporting. The Early Warning Program is enabled by default for the EMET 4.0 Beta and can be disabled in the EMET UI or via the EMET command line component. We are eager to hear customer feedback about this feature to help shape the Early Warning Program for the EMET 4.0 final release.

Audit Mode

When previous versions of EMET detected exploitation attempts, it would report the attack via the EMET agent and then terminate the program to block the attack. For EMET 4.0, in response to customer feedback, we provided an option to configure EMET’s behavior when it detects an exploitation attempt. The default option remains to terminate the application. However, customers wanting to test EMET in a production environment can instead switch to "Audit Mode" to report the exploitation attempt but not terminate the process. This setting is not applicable for all mitigations but we provide this option whenever possible.

Other Improvements

EMET 4.0 includes a bunch of other improvements. The quantity of new features and volume of work put into this release is the reason Micorosft skipped the EMET 3.5 full release and jumped straight to EMET 4.0. Please refer to the EMET 4.0 Beta Users Guide for the full set of features but here are several other highlights:

- EMET Notifier becomes EMET Agent, with new duties and functionalities

- More granular reporting options (tray icon, event log, both, or none)

- New default profiles for both mitigations and Certificate Trust

- Registry configuration to customize the EMET Agent’s messaging

- Optimized RopCheck for significantly better performance

- Numerous UI tweaks to make EMET easier to use

- Enable wildcard support when adding applications to be protected

- Allow processes to be protected even if they do not have .exe extension

- Switched to .NET Framework 4.0

- EMET is an officially supported Microsoft tool with support available for customers with Premier contract

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its "Structured Exception Handler Overwrite Protection," or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.

One of the much-hyped new capabilities of EMET 4.0 is its "certificate trust" feature, which is designed to block so-called "man-in-the-middle" attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

If you have questions about EMET or run into issues with the program, check out the Microsoft support page for EMET
EMMET Support

, which lets you to submit questions to the user community if you don’t see your problem addressed in a previous support thread.

The chart above indicates which system- and application-specific protections in EMET 4.0 are available for each supported version of Windows. Visit this link: http://www.microsoft.com/en-us/download/details.aspx?id=39273 to download EMET 4.0, as well as a detailed user guide on the software.

For more information please contact me at:

Drs. Albert Spijkers
DBA Consulting
web:            http://www.dbaconsulting.nl
blog:            DBA Consulting blog
profile:         DBA Consulting profile
Facebook :   DBA Consulting on Facebook

email:          info@dbaconsulting.nl 

0 reacties:

Post a Comment