Windows 10 Cannot Protect Insecure Applications Like EMET Can

[Batu69]

Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities.

 

EMET Protections and How They Are Applied

To compare protections of a Windows-with-EMET system against a stock Windows 10 system, it's important to first enumerate the protections that EMET 5.51 provides:

System-Wide Protection

• Data Execution Prevention (DEP)
• Structured Exception Handler Overwrite Protection (SEHOP)
• Address Space Layout Randomization (ASLR)
• Certificate Trust (Pinning)
• Block Untrusted Fonts (Fonts)

The system-wide DEP, SEHOP, and ASLR settings in EMET are provided by the Windows operating system itself. That is, the benefit of EMET for these settings is simply that it acts as a unified GUI application to make these changes in your system.

Application-Specific Protection

• Data Execution Prevention (DEP)
• Structured Exception Handler Overwrite Protection (SEHOP)
• Null Page Allocation (NullPage)
• Heapspray Allocations (HeapSpray)
• Export Address Table Access Filtering (EAF)
• Export Address Table Access Filtering Plus (EAF+)
• Mandatory Address Space Layout Randomization (ASLR)
• Bottom-Up Randomization (BottomUpASLR)
• ROP Mitigations
  • LoadLib
  • MemProt
  • Caller
  • SimExecFlow
  • StackPivot
• Attack Surface Reduction (ASR)
• Block Untrusted Fonts (Fonts)

Application-specific EMET mitigations are applied by loading the EMET library into the process space of each protected application when it is launched. Here, the EMET library can modify the behavior of the target application by providing additional protections. The application-specific-protection capability provided by EMET is where EMET really adds value. Because we cannot rely on all software vendors to produce code that uses all of the exploit mitigations available, EMET puts this control back in our hands.

 

Detailed descriptions of these protections can be found in the EMET 5.5 User's Guide.

Visualizing Protections With and Without EMET

To help visualize what EMET can do for us, it is useful to enumerate the exploit mitigations for various Windows versions, both with and without EMET.

When it comes to system-wide mitigations, there's not much of a difference between a Windows system that has EMET installed and a stock Windows system that has had the mitigations enabled manually. This comparison, illustrated in the figure below, makes the true benefit of EMET clear: application-specific mitigations.

 

 

It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured. Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system.

Analyzing Microsoft's Statement

The Microsoft Blog entry Moving Beyond EMET makes the following statement:

Windows 10 includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser.

 

Let's look at the language used and analyze what Microsoft is actually saying and how people may interpret the sentence.

 

Fact: Windows 10 supports DEP, ASLR, and Control Flow Guard (CFG).
Fiction: Windows 10 makes EMET irrelevant.

In Defense of EMET

Microsoft's statement above overlooks the primary reason for someone to run EMET. In particular, users running EMET to protect applications that do not opt in to all of the exploit mitigations that it should. Even though the underlying Windows operating system supports a mitigation, doing so does not necessarily mean that it will be applied to an application.

 

Developer adoption of exploit mitigations takes place at a slower rate than we'd like to see. For example, even Microsoft does not compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR. What is the impact? An attacker may be able to work around ASLR by causing a non-DYNAMICBASE library to be loaded into the process space of the vulnerable application, potentially resulting in successful exploitation of a memory corruption vulnerability. What do we do to protect ourselves against this situation? We run EMET with application-specific mitigations enabled!

The Windows 10 EMET Fallacy

Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does.

 

Windows 10 does indeed provide some nice exploit mitigations. The problem is that the software that you are running needs to be specifically compiled to take advantage of them. Control Flow Guard (CFG) looks to provide similar protections to the ROP application-specific mitigations in EMET. The problem is that the application needs to be specifically compiled to take advantage of CFG. Out of all of the applications you run in your enterprise, do you know which ones are built with CFG support? If an application is not built to use CFG, it doesn't matter if your underlying operating system supports CFG or not.

 

Update (November 21, 2016)

Windows 10, version 1607 and Windows Server 2016 do support some application-specific mitigations. In particular, DEP, SEHOP, ASLR, and BottomupASLR. The table above has been updated to reflect this information. Setting these application-specific mitigations requires calculating and setting a bit field value in the Windows registry for each process name that you would like to protect. Please see Override Process Mitigation Options to help enforce app-related security policies for more details.

EMET and Its End of Life

Microsoft has announced that they will no longer support EMET beyond July 31, 2018. Some may use this end-of-life (EOL) statement as an excuse for not deploying EMET. If this is the case, it would be wise to investigate all of the software that is currently outside of the support window before July 31, 2018.

 

If you are lucky enough that all of your applications are within their support cycle, EMET provides protections against exploitation of new and unknown memory-corruption vulnerabilities, known as "zero-days."

 

Microsoft applications that will lose support a year before EMET are listed in Products Reaching End of Support for 2017. Office 2007 is in this list, for example. With such out-of-support applications, it is even more important to provide additional exploit protection with a product like EMET. When a vulnerability is discovered in a product outside of its support cycle, this vulnerability is referred to as a "forever-day." That is, the vulnerability will never be fixed.

 

Just because Microsoft will stop supporting EMET after July 31, 2018 does not mean that the application will stop working beyond that date. It will likely continue to operate in the same way that it has been working all along. This EOL date simply means that you will not be able to get assistance from Microsoft after that date.

Mitigations Without EMET

As mentioned earlier, many of the system-wide mitigations exposed by EMET are actually provided by the underlying Windows operating system. The primary mitigations that can be enabled globally are DEP and ASLR.

DEP

System-wide DEP can be configured using the BCDEdit utility. Microsoft indicates, "Before setting BCDEdit options you might need to disable or suspend BitLocker and Secure Boot on the computer." To change the DEP setting to AlwaysOn, in a CMD prompt with administrative privileges run

bcdedit.exe /set {current} nx AlwaysOn

ASLR

System-wide ASLR can be configured by importing the following registry value:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"MoveImages"=dword:ffffffff

Notes for System-Wide Settings

EMET is not required for setting the above system-wide mitigations for DEP and ASLR. Enabling these features will make Windows more secure than the default configuration. However, the system-wide mitigations are less granular than what is available with EMET. In particular, if an application that you need to run is incompatible with a particular mitigation, it may not be possible to allow that application to run when the system-wide mitigations are in place. On a system with EMET, however, the system-wide mitigations can be relaxed, and compatible application-specific mitigations can be applied on a program-by-program basis.

Conclusions and Recommendations

While EMET itself is a free tool, successful deployment of it takes some work. But there are rewards to be reaped from this work.

• From an exploit mitigation perspective, upgrading to Windows 10 is a good idea.
• Installing EMET with application-specific mitigations configured is also a good idea.
• EMET provides some protection against zero-day vulnerabilities in supported software, as well as forever-day vulnerabilities in unsupported software.
• If the use of EMET is not possible, then the system-wide mitigations of DEP and ASLR can be applied without EMET.
• Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on.

Article source

[straycat19]

Title should be "Windows 10 cannot protect Windows 10 without EMET".  

11 hours ago, Batu69 said:

From an exploit mitigation perspective, upgrading to Windows 10 is a good idea.

 

From a security perspective upgrading to Windows 10 is a terrible idea.  There are 263 reasons why though only 198 are commonly referred to on various internet forums.

 

11 hours ago, Batu69 said:

Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on.

 

None would be a more appropriate comment here.

 

Pineapples love Windows 10.  They capture all the data.  It was so profuse at the last DEFCON that special attention was given to blocking the Pineapples at the network.  There were as many Pineapples being carried on belt holsters as there were cellphones.  They all targeted Windows 10.  If you have a Windows phone the best thing you can do is turn off WiFi and mobile data and never turn it on in public.  If you have a Windows 10 laptop the best thing you can do is never use public WiFi, ever.  If you do someone can be capturing your logons and data from your connection.  You don't even have to be using your phone for it to connect with a new device (currently being tested) and send logon data if you have WiFi activated.

[steven36]

4 hours ago, straycat19 said:

From a security perspective upgrading to Windows 10 is a terrible idea.

From a security perspective not doing updates in Windows 7 is a terrible idea then people who do updates that run things like Malwarebytes  get there kernel driver deleted. You know how many times i read on Linux forums  that installing a anti malware  on Linux  causes more harm than good? Well it was a whole lot. I been running Windows 10 off and on since it came out and  never had any problems I think the last time I had any problems was way back when I was on Windows XP . Maybe installing Windows 10 would be dangerous for you because you dont how to prevent  security problems to began with , But you dont speak for everyone. 

 

Not long ago it was in the news they was 0days EMET cant protect  do a search  here on it . Only reason I  use security  software at all on windows is just in case . If you know how to prevent  from being infected to began with chances are no security  software wiill ever come into play . It's mostly about there trying to sell you something is all  and it's more for people who dont have very much experience and make bad security decisions . If you put too much dependence on man made things you're just setting yourself up for a fall.

 

Keep in mind I know some businesses with a network  who are to cheap to buy  security  software for there server so when someone gets infected  they bring a IT in and he uses Malwarebytes and they deploy windows 7 updates every month  . I hope the IT has the sense not to delete every thing it picks  up or hes going cost the  company a lot. In the end it all boils down to conman sense  and being able to  tell  a real  security issue from a false one . The more security software you run the more false positives you will have . 

 

Only I thing I use is NOD32 in real time and a good Firewall  I stay away from using M$ browsers and i do on demand scans with other stuff from time to time but  conman sense always has to come into play about what is real and what is not real . This has worked for me for years no matter what AV I use so why would i change it now?

[pc71520]

After July 31, 2018,

Malwarebytes Anti-Exploit & HitmanPro.Alert.

[vissha]

Security Institute Says Windows 7 Is More Secure than Windows 10 Thanks to EMET

 

 

Microsoft plans to retire EMET in July 2018

 

Quote

Microsoft will pull the plug on its Enhanced Mitigation Experience Toolkit (also known as EMET ( on July 31, 2018 (an extension to the original end-of-support date set for January 27, 2017), but this isn’t at all a good move, a security institute says.

 

The CERT group at Carnegie Mellon University explains that EMET helped make Windows 7 very secure and in some cases, even more secure than Windows 10, so pulling it means that users who are not running the latest operating system would be left vulnerable.

 

While they admit that Windows 10 indeed integrates some of the features available in EMET, a Windows 7 system that has the toolkit installed can prove to be more secure because with a built-in solution, it all comes down to apps to integrate these security features.

 

“Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does,” security researchers explain.

 

Windows 10 and EMET, the best possible combo

 

A graph comparing the security features of Windows 7 with EMET and Windows 10 with the built-in technologies show that the 2009 operating system is actually more secure, coming with features that are not available on its 2015 successor.

 

The best combo is Windows 10 and EMET, which according to these experts, provides the best security that you can get right now on Windows.

 

“Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does. Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on,” the report shows.

 

Microsoft is yet to offer a statement on this, but the company is very unlikely to change the end-of-support date for EMET. Windows 7 support itself is coming to an end in January 2020, so Microsoft probably doesn’t see a reason to keep EMET alive for too long, especially because it’s working on implementing its full functionality in Windows 10.

 

Source

[Batu69]

Topic has been merged.