Microsoft releases Enhanced Mitigation Experience Toolkit (EMET) 4.0 Beta

I have talked about Microsoft's Enhanced Mitigation Experience Toolkit (short EMET) before here on Ghacks and do not want to rehash everything that has already been said about it in the past. So what does it do? Think of it as an extra layer of security that steps in if someone tries to exploit a vulnerability on your operating system that has not been patched yet. EMET is not patching security vulnerabilities, but blocking access to known and unknown exploits that attackers may use to break in to the system.

The last EMET update dates back to 2012  that was released in form of a technology preview that added four additional Return Orientated Programming (ROP) attack mitigations to the security program.

Microsoft released the first public beta of the upcoming Enhanced Mitigation Experience Toolkit 4.0 two days ago. The program is available for download at Microsoft's Download Center and compatible with all client and server based versions of the Windows operating system that are still supported by Microsoft (so Windows XP SP3 and Windows Server 2003 Service Pack 2 onwards).

So what is new in the new EMET version?

The interface has not changed much on first glance. You find one new option listed under System Status when you open the program interface. Certificate Trust (Pinning) is the new feature that is enabled by default. What it does?

It makes available a set of rules to validate digitally signed certificates while using Internet Explorer. The rules match domains with the Root Certificate Authority, and variations discovered during the check are indicators of a potential man-in-the-middle attack that is carried out. Exceptions can be configured so that certificates may be accepted even if some rules do not match.

EMET 4.0 features additional improvements and feature additions:

Advanced settings for ROP mitigations block techniques that try to bypass the mitigations. You find those new features under Configure > Applications > Options > Advanced Configuration. Deep Hooks, Anti Detours and Banned Functions are all enabled by default. Here you can also define the action that you want taken when exploits are detected. The default action is to stop the program, and you can change that to audit only instead.

Several compatibility issues that users encountered in previous EMET versions have been resolved. This includes fixes for Internet 8's Managed Add-ons dialog, Internet Explorer 9 and the Snipping Tool, Internet Explorer 10 on Windows 8, Office software through SharePoint and Access 2010 when certain mitigations were enabled. Microsoft furthermore added several opt-in rules for select applications that are known to interact poorly in regards to certain mitigations. The list of support applications includes Google Chrome, Adobe Photoshop, Google Talk or Lync.

EMET 4.0 has reporting capabilities through a new component called EMET Agent which you will find running on the system after installation of the new version.  It replaces the EMET Notifier component that shipped with EMET 3. It is set to start automatically with Windows and handles tasks such as writing events to the Windows Event log, show events via tooltips in the notification area of the operating system, perform certificate trust validation tasks, and send reports for the Early Warning Program feature.

You can configure the Reporting under Configure > Reporting in the application window. Here you can opt out of the Early Warning Program, disable the tray icon and writing to the event log.

Emet 4.0 comes with Group Policy support. EMET.admx and EMET.adml files are automatically installed alongside the program and added to the Deployment/Group Policy Files folder of the installation directory. These files can be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US folders. Once done, EMET configurations become available in Group Policy.

Advanced users can enable so called unsafe settings via the Windows Registry. Do the following to enable it:

1. Tap on the Windows-key, type regedit and tap on the Enter-key.
2. Accept the UAC prompt if it is displayed.
3. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET
4. Locate the parameter EnableUnsafeSettings
5. Double-click on the name and change its value to 1 to enable it.

You need to restart the graphical user interface before the new option becomes available. The only unsafe option that is currently available is to set ASLR to always on.  Microsoft notes that setting it to always on may throw a blue screen on some systems during boot. If that is the case, the company recommends booting into Safe Mode and setting the ASLR setting to Opt In or disabled instead.

Other features and changes include:

• Switch to the Microsoft .NET Framework 4.0.
• Protection for processes that do not have .exe extensions.
• New default profiles for migitations and Certificate Trust (you find those under Deployment > Protection Files in the program folder).
• Wildcard support when adding applications to the protected programs list.

You can read the official announcement over at Microsoft's Security Research & Defense blog and consult the user guide that is put into the program folder for additional information.

Advertisement