madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft ships anti-exploit tool for IT admins

By | July 28, 2010, 12:07pm PDT

Summary: The tool, called Enhanced Mitigation Experience Toolkit (EMET) works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors.

LAS VEGAS — Microsoft today released a new tool to help IT administrators backport anti-exploit mitigations like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) to older versions of Windows.

The tool, called Enhanced Mitigation Experience Toolkit (EMET) works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors.

In addition to implementing ASLR and DEP on older versions of the Windows operating system, Microsoft said EMET will also add anti-exploit mitigations to existing third-party software that do not currently opt-in to the mitigations.

“This helps to protect against successful exploitation of vulnerabilities without available fixes,” says Mike Reavey, a director in Microsoft’s Security Response Center (MSRC).follow Ryan Naraine on twitter

ALSR and DEP, which serve as defense-in-depth roadblocks during malware attacks, are enabled by default in newer versions of Windows.

EMET supports both 32- and 64-bit applications and activates specific protection mechanisms in compiled binaries. It adds the following mitigations to applications that do not support them natively:

  • Structured Error Handling Overwrite Protection (SEHOP) prevents Structured Exception Handling (SEH) overwrite exploitation by performing SEH chain validation.
  • Dynamic Data Execution Prevention marks portions of a process’s memory non-executable, making it difficult to exploit memory corruption vulnerabilities.
  • NULL page allocation allocates the first page of memory before program initialization and blocks attackers from taking advantage of NULL references in user mode.
  • Heap Spray Allocation pre-allocates memory addresses to block common attacks that fill a process’s heap with specially crafted content.
  • Mandatory address space layout randomization (ASLR), as well as non-ASLR-aware modules on Windows Vista, Windows Server 2008 and Windows 7.
  • Export address table (EAT) uses hardware breakpoints to filter access to the EAT of kernel32.dll and ntdll.dll, blocks access if the instruction pointer is not inside a module, and breaks current common metasploit shellcodes.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Administrator, Information Technology, Microsoft Corp., Mitigation, Data Execution Prevention, Mitigation Technology, Enhanced Mitigation Experience Toolkit 2.0, Microsoft Windows, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 6 Talkback(s)

  • RE: Microsoft Ships Anti-Exploit Tool for IT Admins
    "The tool, called Enhanced Mitigation Experience Toolkit (EMET) works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors."

    Wow! That sounds like it came right out of a manual or off a spec sheet. Explain, you mean it blocks ports, logs activity on, and restricts file permissions for third party and legacy Microsoft products to hopefully prevent them from being vulnerable without completely keeping them from running? ...or is there some other magical process involved. I realize there are a lot of hack MCSE's out there that need a nice wizard to do their job. But this sounds like big words for something most of us do already. It would be a lot easier if they didn't hide behind the business jargon.
    ZDNet Gravatar
    Socratesfoot
    28th Jul 2010
  • Oh my
    @Socratesfoot

    SEHOP, NX, Null Page, Anti-Heap Spray, ASLR and EAT has nothing to do with what an administrator already does. Please read up on the topic before ranting, ok?

    These mitigations should really be pre-compiled into the executables by the app developers (i.e. not the admins). What these tools do is to enhance security-ignorant apps in their binary form with advanced anti-exploit mechanisms. Quite unique, actually.

    And it has nothing to do with permissions or other rights.

    The objective of these techniques is to prevent malicious code from being able to execute, even if an executable contains a memory corruption vulnerability.
    ZDNet Gravatar
    honeymonster
    28th Jul 2010
  • RE: Microsoft Ships Anti-Exploit Tool for IT Admins
    @honeymonster ...See would it have been so hard to say that though? That's my point. I understand there is more explanation at the end breaking features down as bulleted items. But statements like, "applying security mitigation technologies to arbitrary applications to block against exploitation" can be broadly interpreted to be any number of control methods. Are you sand boxing the apps? This article left me wondering, while your explanation was easily understandable and succinct.

    Oh...and thank you for that.
    ZDNet Gravatar
    Socratesfoot
    29th Jul 2010
  • RE: Microsoft Ships Anti-Exploit Tool for IT Admins
    @Socratesfoot

    Ok, sorry I came out so strong then. I see your point. I also got the feeling that Ryan doesn't quite understand these topics. If he did he could have been a bit more precise.

    On that note, these techniques takes aim at a very critical point of vulnerability exploitation.

    When an application (or OS) has a memory corruption vulnerability it is not automatically or trivially exploitable, and the technique leading to a successful exploit will vary depending on the actual bug.

    With a buffer overflow the attacker may try to overwrite the stack so that when the program flow returns (and takes the return address from the stack) the flow will "return" into the attacker's malicious code. This is the most brittle part of any exploit.

    And these techniques takes aim a making it very, very difficult (or extremely unlikely) that the attacker can succeed, even if he has discovered a memory corruption.

    One of the most obvious is NX. All but the most advanced apps are designed to take data from the outside, not code. On the binary level code may look like data, and indeed exploits typically will involve the attacker passing code as though it was data. NX ensures that "data" is labeled as such and that any attempt to execute it as code will immediately trigger a fault condition and tear down the process before it can do harm.

    Likewise with the other techniques. ASLR was the next round: When the attackers found that it became hard to inject code (passing it as data) they instead scoured the already loaded code for instruction combinations which could allow them to gain control if executed. The response to this was ASLR whereby an attacker cannot rely on certain code being located on a specific address. Basically load addresses are randomized.

    And so on for the rest of the techniques.
    ZDNet Gravatar
    honeymonster
    29th Jul 2010
  • I don't think you were ranting
    I do think he is over sensitive...
    ZDNet Gravatar
    beededea
    29th Jul 2010
  • Volvo v70
    it is the best cooment..................................................
    ZDNet Gravatar
    gautam0001
    30th Jul 2010

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here