EMET 5.0 comes with a new feature called Attack Surface Reduction that lets organizations selectively enable Java, Flash Player, and third-party plug-ins. An organization could set EMET to allow Java to run only for internal applications that need it while disabling Java execution in non-internal applications. It does much the same for Flash: "It lets you use Flash in the browser, but blocks Flash from executing in Excel" or other Office files, for example, says Jonathan Ness, principal security development manager for Microsoft Trustworthy Computing.
|Click here for more articles about the RSA Conference.|
The new version also comes with a hardened version of EAF (Export Address Table Filtering), and also enables "deep hooks" mitigation by default, which stops the bypass attack demonstrated in research released yesterday by Bromium Labs that pokes holes in EMET 4.1.
"I'm eager to see the feedback on these" new features, Ness said in an interview. The feedback will help shape the tool's final form, he says.
The new features in EMET help block attacks Microsoft has found and analyzed over the past few months. "We've raised the bar for the attacker," Ness says. "Because of the shift in the landscape, it makes exploitation more difficult."
Dan Kaminsky, chief scientist of WhiteOps, says EMET is a useful defense tool for Windows machines because it can update security for Windows at a faster clip than the longer operating system update cycle. "It spurs the development of new features and defenses," Kaminsky says.
But EMET's main limitation is that it relies on known vectors of return-oriented programming (ROP) exploitation methods, says Rahul Kashyap, chief security architect and head of security research at Bromium.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.