Microsoft is urging Windows users who browse the Web with Internet Explorer to use a free tool called EMET to block attacks against a newly-discovered and unpatched critical security hole in IE versions 7, 8 and 9. But some experts say that advice falls short, and that users can better protect themselves by surfing with an alternative browser until Microsoft issues a proper patch for the vulnerability.
EMET, short for the Enhanced Mitigation Experience Toolkit, is a tool that can help Windows users beef up the security of commonly used applications, whether they are made by a third-party vendor or by Microsoft. EMET allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.
Before I get into the how-tos on EMET, a few caveats. EMET is a great layer of security that Windows users can and should use to enhance the security of applications. But EMET may not block the exploit code now publicly available through the Metasploit framework. In fact, Tod Beardlsey, an engineering manager with Rapid7, the security firm that manages Metasploit, told The Associated Press that EMET does not appear to be completely effective against this exploit.
I asked Metasploit founder HD Moore what he thought was the best way to block this exploit, and he pointed out that the exploit available through Metasploit requires the presence of Java on the host machine in order to execute properly on IE 8/9 on Windows 7 and Vista systems (the exploit works fine without Java against IE7 on XP/Vista and IE8 on XP). Obviously, while the lack of Java on a Windows machine may not prevent other exploits against this flaw, it is a great first start. I have consistently urged computer users of all stripes to uninstall Java if they have no specific use for it.
Using a non-IE browser such as Chrome, Firefox, Opera or Safari is a far safer approach, at least until Microsoft releases a proper patch for this flaw (note that Windows 8 and Internet Explorer 10 are not affected by this vulnerability).
If you decide to stick with IE, I’d encourage you to read closely the security advisory Microsoft published last night. It describes a number of tweaks that users can make to ratchet up security settings in IE, and details the process of setting up IE to use EMET.
EMET can force individual applications to perform ASLR on every component they load, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET platform installed. And while it does technically work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and some of the other notable protections included in this tool.
To proceed with EMET, download the program and install it. To wrap Internet Explorer in EMET’s settings, launch the program and click the “Configure Apps” button in the bottom right corner of the application window. Selecting the “Add” button in the next box that brings up a program selection prompt; browse to C:\Program Files\Internet Explorer, and then add the “iexplore.exe” file. It should be okay to accept all of the defaults that EMET adds for you.
While you’re at it, add the rest of your more commonly used, Internet-facing apps. But go slow with it, and avoid the temptation to make system-wide changes. Changing system defaults across the board – such as changing ASLR and DEP settings using the “configure system” tab – may cause stability and bootup problems. I’ve been using it on a 64-bit Windows 7 system and phasing in some of my most-used applications on-by-one with the “configure apps” button just to make sure the added security doesn’t crash the programs (see screen shot below). So far, the only problem I’ve run up against was Skype, which didn’t seem to like being forced into using the six different protection mechanisms that EMET employs by default when you manually add application: It simply would crash upon startup.
Just keep a running list somewhere of the apps you have set to use EMET, and if you experience problems or glitches with these programs going forward, you may be able to fix said bugginess simply by tweaking EMET a bit.
Tags: .NET, 0day, address space layout randomization, ASLR, chrome, data execution prevention, DEP, EMET, Enhanced Mitigation Experience Toolkit, firefox, HD Moore, java, KB2757760, Metasploit, opera, Rapid7, safari, Tod Beardsley, zero day