Microsoft EMET 3.5 Tech Preview is up

Discussion in 'Security' started by mechBgon, Jul 26, 2012.

  1. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    Info and a download link for the preview release of EMET 3.5 is available here: http://blogs.technet.com/b/srd/arch...urity-mitigations-from-the-bluehat-prize.aspx

    EMET has two functions. One is to provide an easy way to toggle OS settings (DEP, ASLR, SEHOP) that your OS supports. I suggest these settings:

    [​IMG]

    The other is to add exploit resistance to any apps you choose to protect with the "Configure Apps" feature.

    The 3.5 Tech Preview version has some new protective options available. If you install EMET 3.5 TP, and click "Configure Apps", the new protections are in the ROP tab. They're not enabled by default because some of them could clash with your software. My recommendation is to

    1. In Configure Apps, add all the software you want EMET enhancement for. Browsers, media players, Office-type software, IM/VoIP, email clients, PDF readers, and if you're one of those unfortunate souls with Java installed, definitely Java!

    2. Go to the ROP tab and enable all the ROP tweaks for the software you added.

    3. Test your software and see if it has any hangups with the ROP tweaks. If so, make exceptions as needed. EMET 3.5 TP will put up a pop-up alert saying what tweak is being violated, so you know what ROP goodie needs to be turned off for that particular software.


    Borrowing from the current Microsoft MSRC Progress Report (PDF), this graph shows how EMET 2.1 affected exploit success on WinXP against 184 exploits they threw at it:

    [​IMG]

    I think the Win7 shown in the graph is just plain Win7 without EMET. Anyway, for a freebie app, it's worth having. I've daringly EMET'ed most of the executables on my Win7 systems, including the stuff in the Windows directories, with few problems (MMC.exe wont' tolerate EAF mitigation, and as always, some software needs exceptions made to DEP protection). Use caution before going down that road, but you can certainly score some easy wins by protecting your Internet-aware software as mentioned above.

    If you have Win7 but run WinXP Mode on it for legacy-app support, you can install EMET on your WinXP Mode virtual machine for a boost in security.
     
    #1 mechBgon, Jul 26, 2012
    Last edited: Jul 26, 2012
  2. Loading...


  3. Jjoshua2

    Jjoshua2 Senior member

    Joined:
    Mar 24, 2006
    Messages:
    627
    Likes Received:
    0
    So does this provide a security benefit with browsers like chrome? I saw a google engineer said that EMET v3 didn't provide any security boost since it already used everything, but presumably the new ROP stuff would be helpful? I'm running it with chrome and it seems to be compatible, unlike v3 when it first came out.
     
  4. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    Do you remember where you read that? If it were me, I'd go ahead and add all browsers to the protection list regardless.
     
  5. eliasb

    eliasb Junior Member

    Joined:
    Jul 27, 2012
    Messages:
    1
    Likes Received:
    0
    mechBgon, EMET 3.5 has been tested with Chrome, Firefox, Aurora, Opera.

    It even works with Visual Studio :p

    This is a tech preview and we expect some compatiiblity issues, please feel free to write to EMET support if you spot something.

    Thanks,
    Elias
     
  6. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    So far it's been smooth sailing on Win7 x64 with the software I use at home and at work. Microsoft's MMC.exe, as I mentioned, needs EAF disabled or it'll crash on launch.

    If you guys want to top yourselves, create a vulnerability checkup like Secunia's PSI, but make it free for business use. Maybe you could build this into MBSA?
     
  7. Jjoshua2

    Jjoshua2 Senior member

    Joined:
    Mar 24, 2006
    Messages:
    627
    Likes Received:
    0
    EMET [v3] does not provide any additional protection for Chrome.
    http://blog.chromium.org/2010/11/compatibility-issues-with-emet.html

    The new ROP stuff might. It would be nice to hear from a security expert at Google.

     
  8. Emulex

    Emulex Diamond Member

    Joined:
    Jan 28, 2001
    Messages:
    9,759
    Likes Received:
    0
    where do you get emet 3.5 profiles? allrop2.xml?
     
  9. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    They included three of their own, but I made my own by manually adding software executables in the Configure Apps section. As you noticed, the ROP mitigations are all disabled by default, and it's a hassle to manually check all those checkboxes. Instead, try this:

    1. add the programs you want in Configure Apps*. I scrounge my Program Files and Program Files (x86) directories for likely targets, and also look at the running-task list in EMET for stuff to add.

    2. go into Configure Apps and click File > Export... and export the current config to a file

    3. open the file in Notepad and hit CTRL H for the "find-and-replace" feature. Replace false with true throughout the file, then save it.

    4. now in EMET, do a File > Import of that file, and all the ROP stuff will be toggled on after a moment or two.


    *On Win7, I also added everything in the Windows and System32 directories to see what would happen, and it pretty much works except you'll need to leave MMC.exe exempt from the EAF mitigation. Might want to set a System Restore point first, in case your Windows is less cooperative.
     
    #8 mechBgon, Aug 15, 2012
    Last edited: Aug 15, 2012