Microsoft security tool EMET 5.0 puts a leash on plugins
By Jeremy Kirk
The latest release of a Microsoft security tool that’s designed to stop exploits lets administrators control when third-party plugins are launched, a long favored route for attackers.
Microsoft has been steadily improving and adding more capabilities to the Enhanced Mitigation Experience Toolkit (EMET), a free tool that strengthens the security of non-Microsoft applications by using defenses built within Windows, such as ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention).
The latest 5.0 iteration, released Thursday, includes something called “Attack Surface Reduction,” which can block some of an application’s modules or plugins that might be abused, wrote Chris Betz, senior director of the Microsoft Security Response Center.
He wrote that Microsoft Word, for example, can be prevented from loading an Adobe Flash Player plugin or allow Java plugins to only run from intranet-zone sites rather than outside ones.
Third-party software is often favored by hackers as finding vulnerabilities in the Windows operating system has become more difficult. Java, an application framework for running applications, is often targeted, as well as applications from Adobe Systems.
EMET has been configured by default to block Adobe’s Flash plugin from being loaded by Word, Excel and PowerPoint.
Another improvement to EMET deals with digital certificates, which are used to secure a SSL (Secure Socket Layer) connection, Betz wrote. EMET now has a blocking mode that will tell Internet Explorer to halt an SSL connection if an untrusted certificate is detected without sending session data.
Microsoft also hardened EMET in light of successful efforts at bypassing mitigations in its 4.0 version. Earlier this year, researchers from Bromium, which develops security technologies based on micro-virtualization, found that more technical hackers could bypass all of EMET’s protections.
The company worked on hardening EMET against bypass techniques, which are possible “when a memory corruption within an EMET-protected application can be abused to overwrite selected memory areas and corrupt data belonging to EMET itself,” according to a technical writeup.