Microsoft Tears off the Band-Aid with EMET

Microsoft last week extended the end-of-life expiration date to July 2018 on its exploit mitigation add-on, the Enhanced Mitigation Experience Toolkit (EMET). But for some time, the once-useful tool has been well on its way out to pasture.

While EMET was never meant to be anything more than stopgap protection against exploits, attackers and white-hat researchers accelerated its demise with a number of publicized bypass attacks. That situation, plus Microsoft’s urgency to have users migrate to Windows 10 and the array of new memory mitigations included in the latest OS has brought the curtain down on EMET.

“It was a stopgap. It was never supposed to be something [Microsoft] wanted people to use longterm,” said Cody Pierce, director of vulnerability research at Endgame. “They want people to upgrade Windows 10; for the good of their customers, they want to transition them to Windows 10 where there are some protections baked into the operating system.”

Foremost is Control Flow Guard, a technology built to counter memory-corruption vulnerabilities, which has been available since Visual Studio 2015 and is also built into Windows 10 and Windows 8.1. Control Flow Guard is thought to be a primary impediment to use-after-free attacks, which became a favorite exploit once ASLR and DEP put a damper in buffer overflow attacks.

“There are a lot more compile time mitigations [in Windows 10] like Control Flow Guard, and a new Return Flow Guard feature,” said Darren Kemp, security researcher with Duo Security. Kemp also pointed out that since Windows 10’s mitigations are integrated into the operating system, unlike EMET, there are fewer instances where users will notice a performance hit, which was increasingly common with EMET. Also, EMET required close care when configuring it to work, otherwise it could break certain application processes.

“Since it’s not integrated, you don’t get the same type of tight coupling,” Kemp said. “With a lot of stuff in EMET, you have to test the software you’re applying it to, to make sure the mitigations don’t cause problems. It hooks into functions and injects features. If software does non-standard things, it can cause problems with those apps.”

Microsoft, meanwhile, has not had EMET on a consistent upgrade path since version 5.0 dropped in 2014. This was an abrupt change from the early days when EMET was introduced and exploits were unleashed within days of Patch Tuesday releases. In announcing the deadline extension to July 31, 2018, Microsoft’s Jeffrey Sutherland acknowledged EMET’s limitations against modern advanced attacks, its performance and reliability shortcomings, and urged users toward Windows 10, which makes the most of hardware virtualization to sandbox applications and links before they can harm the operating system.

“With the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform,” Sutherland said.

The true value of any mitigation continues to be how well it raises the cost of attacks. Pierce illustrated how advanced attackers have blown well past EMET’s menu of mitigations with advanced logic that automates many facets of an attack that its defenses cannot keep up with.

“If you’re an exploit kit writer and you acquire a zero day or develop an exploit, you have to get the most bang for your buck; and part of that is supporting a wide range of targets. If you’ve got a Flash exploit, you want it to work on Firefox, Windows, Linux and more and you have to come up with ways to make it easier on you,” Pierce said. “A lot of the ways they’ve figured out to do that bypasses a lot of these late-hook defenses like EMET. They’re getting more value out of it. The types of exploit mitigations EMET provides were limited in utility due to the nature of exploitation. If you look at an exploit kit from 2010, it looks wildly different than it does now.”

Duo’s Kemp, meanwhile, says Windows 10 is one of the hardest targets to breach today.

“That’s the nature of this stuff: raising the bar. If you’re an attacker, do you want to invest a lot of time and energy to figure out a way around this, or are you going to go after something else?” Kemp said.