This article in our series focused on Microsoft’s free security tools is on the Enhanced Mitigation Experience Toolkit (EMET). EMET is a very popular security tool among the CISOs and security professionals I talk to because it helps them manage security mitigations for applications running in their environments. Security mitigations like Address space layout randomization (ASLR) and Data Execution Prevention (DEP) can help make vulnerabilities very hard or even impossible to exploit reliably.
Since security mitigation technologies like ASLR, DEP, Structured Exception Handler Overwrite Protection (SEHOP), and others, are built into Windows, application developers can opt to use these technologies to help protect their users from exploitation. For example, to enable ASLR for an application, software developers need to build their application with the /DYNAMICBASE linker flag – this is an option in the integrated development environment (like Visual Studio) they use to develop their applications. To enable DEP support for applications, software developers should use the /NXCOMPAT linker flag or call the SetProcessDEPPolicy function in the code for their application. Enabling these mitigations generally has no performance impact on the applications. In Visual Studio 2010, for example, both the /DYNAMICBASE and /NXCOMPAT linker flags are turned on by default.
How many applications are using these security mitigations? Research we did for the SDL Progress Report suggests that while many of the world’s most popular applications are taking advantage of some of the security mitigations built into Windows operating systems, many still are not. The four figures below are from the SDL Progress Report where we surveyed the DEP and ASLR settings for the latest versions (at the time) of 41 popular consumer applications that are used by millions of users worldwide. Through this process we found that 71% of the applications surveyed fully enabled support for DEP but only 34% of the applications fully enabled support for ASLR.
Figure 1 (on left): Percentage of applications that fully enable, partially enable, or do not enable ASLR; Figure 2 (on right): Percentage of applications that fully enable, partially enable, or do not enable ASLR by market segment
Figure 3 (on left): Percentage of surveyed applications that enabled DEP; Figure 4 (on right): Percentage of applications that enable or do not enable DEP by market segment
What about the millions of other applications such as line of business applications and applications that organizations develop in-house? Do you know if the applications that you have in your environment are using these security mitigations? Are the ISVs you are procuring your applications from using these mitigations in the applications they are developing? If you discovered that one of your line of business applications did not use these mitigations, and you don’t have access to the source code or the ISV that developed the application, what can you do? This is where EMET can help and why so many of the security professionals I talk to are excited about this tool.
EMET can be used to provide protection for individual applications in your environment. For example, I ran EMET on a system and it helped to immediately identify the running processes that were not using DEP. One of these applications allows the user to receive files from a scanner connected to the network. EMET allowed me to enable DEP on this application without requiring recompiling it or getting a new version of the application from the vendor that developed it. This is especially handy for deploying mitigations on older software that was written before the mitigations were available and where source code is not currently available.
Figure 5 (left): The EMET user interface showing the processes currently running that are using DEP as well as those that are not; Figure 6 (right): Configuring EMET to protect a process that was not using DEP
Figure 7: EMET enabled DEP on the specified process without requiring a recompile or access to the source code
You might be wondering how effective EMET really is? To assess the effectiveness of EMET in addressing a number of commonly exploited vulnerabilities, we published the results of a new study on EMET in the latest Microsoft Security Intelligence Report (volume 12). Microsoft researchers collected a sample of 184 application exploits that had been sent to Microsoft from customers worldwide. All exploits targeted vulnerabilities in popular applications running on one or more versions of Windows. The researchers tested each exploit against Windows XP SP3 in an out-of-the-box configuration, Windows XP SP3 with EMET deployed, and the release-to-manufacturing (RTM) version of Windows 7 in an out-of-the-box configuration. Note that none of the exploits tested, attempt to exploit vulnerabilities in Windows – they all attempt to exploit vulnerabilities in applications running on Windows. Figure 8 shows the results of these tests.
Figure 8: The effectiveness of 184 exploits for popular applications on Windows XP, Windows XP with EMET deployed, and Windows 7
- By a large margin, the highest success rates for the exploits tested involved Windows XP without EMET installed. All but three of the 184 exploits tested succeeded on Windows XP in this configuration. Again, all of the exploits tested were designed to exploit applications, not Windows operating systems.
- Deploying EMET drastically reduces the effectiveness of exploits on Windows XP. Only 21 of 184 exploits succeeded on Windows XP with EMET deployed.
- Ten of the 184 exploits tested succeeded on Windows 7 RTM.
The data suggests that system administrators can significantly reduce their attack surface now by upgrading to the latest versions of their operating system and application software or by deploying EMET, or both.
Until recently one of the biggest obstacles to using EMET in large environments was deployment – it was challenging to scale across thousands of systems. In May of 2012 EMET version 3.0 was released; version 3.0 of EMET includes built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager (SCCM) to deploy, configure and monitor EMET installations across large scale enterprise environments.
Even more recently a Tech Preview of EMET version 3.5 was released. This version of EMET has support for four new return oriented programming (ROP) mitigations. You can read all the details on this functionality on the Microsoft Security Research and Defense blog: http://blogs.technet.com/b/srd/archive/2012/07/24/emet-3-5-tech-preview-leverages-security-mitigations-from-the-bluehat-prize.aspx
If you are responsible for helping to secure the applications in your organization’s environment or simply want to audit the applications running on your system(s) at home, I recommend that you evaluate EMET.
Free resources to help:
- EMET version 3.0 download: http://www.microsoft.com/en-us/download/details.aspx?id=29851
- EMET version 3.0 article: http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx
- EMET version 3.5 Tech Preview download: http://www.microsoft.com/en-us/download/details.aspx?id=30424
EMET version 3.5 Tech Preview article: http://blogs.technet.com/b/srd/archive/2012/07/24/emet-3-5-tech-preview-leverages-security-mitigations-from-the-bluehat-prize.aspx
- EMET video: http://technet.microsoft.com/en-us/security/ff859539.aspx
Director, Trustworthy Computing
Read other parts of this series
Part 1: Microsoft’s Free Security Tools – Series Introduction
Part 2: Microsoft’s Free Security Tools – Attack Surface Analyzer
Part 3: Microsoft’s Free Security Tools – Enhanced Mitigation Experience Toolkit