The one security tool every Windows user should know about
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a simple but powerful configuration utility that allows you to harden applications that weren't originally designed to take advantage of Windows security features. Here's how it works.
A new zero-day security hole in all versions of Windows is the subject of "targeted attacks," Microsoft says. The flaw, according to Microsoft Security Advisory 2488013, occurs when an attacker exploits "the creation of uninitialized memory during a CSS function within Internet Explorer." The result? "It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution."
The definitive fix for a vulnerability like this is a vendor-supplied patch. But what do you do while you're waiting for the patch? And how do you deal with vulnerabilities in legacy applications that can't be easily repaired?
That's the goal of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a simple but powerful configuration utility that allows you to harden applications that weren't originally designed to take advantage of Windows security features. EMET version 2 was released a few months ago and runs on all currently supported Windows client and server editions, including Windows 7, Windows Vista (Service Pack 1 or later), Windows XP (Service Pack 3), Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 (Service Pack 1 or later).
Although it's possible to configure some of these settings in other ways, EMET offers a straightforward, clean interface that works identically across multiple Windows versions. It's not a magic bullet, but it is an extremely potent addition to a thorough, in-depth approach to Windows security.
EMET gives you more granular control over Data Execution Prevention (DEP), a security feature that has been a part of Windows since XP Service Pack 2. Hardware-enforced DEP blocks the execution of code in memory locations that should contain only data, such as the stack or the heap, preventing a common form of exploit. Using EMET, you can turn on DEP for applications that were not originally compiled to be compatible with the feature. (For more on how DEP works, see the two-part "Understanding DEP as a mitigation technology series on the Microsoft Security Research & Defense blog: Part 1, Part 2).
You can also use EMET to overcome a limitation of Address Space Layout Randomization (ASLR). This feature is designed to prevent attackers from jumping to predictable memory addresses to exploit vulnerabilities in code. The problem with ASLR is that it works on a per-process basis; dynamic-link libraries (DLLs) associated with that process can still be located at predictable addresses, where vulnerabilities can be exploited. That's the attack vector used in the unpatched zero-day vulnerability I mention at the beginning of this post. EMET supports mandatory ASLR, which forces the relocation of DLLs associated with a process and thus blocks this entire class of exploits.
Other features in EMET mitigate against common tricks that hackers use to exploit flaws in code, by blocking common "heap spraying" techniques and validating exceptions before calling an exception handler.
Installing Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is straightforward for individual Windows PCs, although Microsoft acknowledges that the current version is "not convenient" to deploy in an enterprise setting. On Windows XP and Windows Server 2003, you must first ensure that the Microsoft .NET Framework 2.0 is installed. There are no prerequisites for other supported Windows versions.