Wednesday, September 29, 2010

EMET for the win

Relatively recently (well, given my lapse in posting at least) Microsoft have scored a big win with their release of their EMET tool (Enhanced Mitigation Experience Toolkit) and some of the Adobe 0-days flying around. For anyone running a Windows based OS, I strongly recommend having a play around with this tool. I was testing it on a Windows 7 host but it will work on Vista, Windows XP (SP3+) and Windos Server 2003 and beyond. This tool enables users to apply DEP and ASLR to multiple applications, including legacy applications, effectively acting as a 'wrapper' (for want of a better term). Having tried this tool out I must say I am very impressed. It is easy to use and deploy and minimal hiccups.

One feature that is worth noting is that if you are running Bitlocker (as I was on my W7 build) then after applying EMET, after every reboot it will prompt you for your recovery keys. The solution is to suspend Bit Locker, reboot, then unsuspend Bit Locker (thanks to my co-worker Ed Luck for finding this fix and for putting me onto this tool).

I think this should be in the arsenal of every Windows system admin out there. Virtually every enterprise is running these operating systems and most of them have easy methods of deploying this. Even if you were to only ensure the core applications were protected (stuff like Office applications, browsers, Adobe and so on) you would knock on the head a good portion of the 'highly targeted' applications.

NOTE: ASLR + DEP is not a panacea for all your ills. Examples of defeating both are documented and widely known in the right circles.

That said, in terms of reducing the attack landscape Microsoft are continuing to push the boundaries and make it increasingly more difficult for exploits to work.

Kudos to Microsoft for the good work.

- J.

No comments: