Skip to main content

Threat Mitigation with EMET 4.0

Published: June 24, 2013

Author: Gerardo Di Giacomo, Security Program Manager, MSRC Software Security Incident Response

In June, we released version 4.0 of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), which you can download from www.microsoft.com/emet.

For those of you unfamiliar with EMET, it is a free utility that helps prevent memory corruption vulnerabilities in software from being successfully exploited for code execution. It does so by opting in software to the latest security mitigation techniques. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update is not available or has not yet been applied. EMET offers protections for all currently supported Microsoft Windows operating systems, from Windows XP to Windows 8, and supports enterprise deployment, configuration, and monitoring.

EMET 4.0 offers improvements and new features that are based on the feedback that we received from customers and the new attacks that the ecosystem has faced in the last couple years.

Following is a highlight of the new features that come with EMET 4.0:

  • Certificate Trust: Allows to detect Man in the Middle attacks that leverage fraudulent SSL certificates
  • ROP mitigations: Block exploit that leverage the Return Oriented Programming exploitation technique.
  • Early Warning Program: Allows enterprise customers and Microsoft to analyze the details of an attack and respond effectively.
  • Audit Mode: Provides monitoring functionalities for testing purposes.
  • Redesigned User Interface: Streamlines the configuration operations and provides accessibility.

Let’s dig into the details for each feature so you can see how to best utilize EMET 4.0 as part of your overall security toolbox.

Certificate Trust

The Certificate Trust feature allows you to configure a set of SSL certificate pinning rules to validate digitally signed certificates (SSL/TLS certificates) while browsing. This feature has been introduced to detect man-in-the-middle attacks that leverage fraudulent SSL/TLS certificates. It allows you to configure a set of rules able to match specific domains (through their SSL/TLS certificates) with the corresponding known Root Certificate Authority (RootCA) that issued the certificate. When EMET detects the variation of the issuing RootCA for a specific SSL certificate configured for a domain, it will report this anomaly as an indicator of a potential man-in-the-middle attack. EMET 4.0 also comes with a pre-defined set of rules that aim to detect Man in the Middle attacks in Microsoft and other popular online services, such as Twitter, Facebook, and Yahoo!.

ROP Mitigations

With EMET 4.0 we introduced some new mitigations that try to mitigate the Return Oriented Programming (ROP) exploitation technique. ROP is a technique that allows an attacker to execute code when other mitigations, such as Data Execution Prevention, are in place. This exploitation technique is widely used today in exploit, therefore we introduced these new mitigations so you can apply them to your applications and make them more resistant against this type of attack.

Early Warning Program

When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. If you are collecting error reports via tools like the Microsoft Desktop Optimization Pack (MDOP) or the Client Monitoring feature of System Center Operations Manager, these error reports are sent to the dedicated system on your network. You can use this information to have an early warning mechanism of attacks detected on your network, and to investigate the details of those attacks. For organizations that typically send all error reports to Microsoft, this information will add to the set of indicators we use to hunt attacks in the wild, and will facilitate the remediation of issues with security updates before vulnerabilities become a large scale threat.

Audit Mode

When previous versions of EMET detected exploitation attempts, it would report the attack via the EMET agent and then terminate the program to block the attack. For EMET 4.0, in response to customer feedback, you can configure EMET’s behavior when it detects and stops an exploitation attempt. The default option remains to terminate the application. However, if you want to test EMET in a production environment, you can instead switch to “Audit Mode” to report the exploitation attempt but not terminate the process. This feature is helpful when you want to monitor potential compatibility issues with EMET and the applications that you are protecting.

Redesigned User Interface

With EMET 4.0, we also improved the EMET user interface. Although the changes are not substantial from the previous versions, the new user interface reduces the amount of effort and clicks to configure the different EMET options. The UI also provides accessibility features, in order to allow equal access and equal opportunity to people with diverse abilities.

EMET 4.0 screenshot

If you already use EMET or you never tried it before, we strongly suggest you to download and install the latest version of the tool in order to benefit from the increased protection that it offers for your system. If you need support with EMET, we provide a dedicated section on the TechNet Forums. If you have a Premier or Professional support contract, you can leverage these channels for additional assistance. Also, if you have any feedback, please don’t hesitate to send us an email!

About the Author

Gerardo Di Giacomo photoGerardo Di Giacomo is a Security Program Manager with the Microsoft Security Response Center (MSRC) Software Security Incident Response team. Gerardo is also responsible for the release of the Enhanced Mitigation Experience Toolkit (EMET). Prior to joining Microsoft, Gerardo worked as a security consultant and trainer for Fortune 500 companies and government organizations in Italy, EMEA and Asia.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.