none
Success

    General discussion

  • Anyone have any examples of EMET protecting against an in-the-wild exploit?
    My idea of a party is a virtualization server and a room of TechNet DVDs
    Thursday, October 13, 2011 10:17 PM

All replies

  • Hi,

    Most of the old Aurora family of exploits and many other older techniques have been deterred by DEP/SEHOP. Many of the old heap spraying techniques simply do not work anymore because of ASLR and heap pre-allocations. Unfortunately nothing at the moment can protect you from some of the new pure-ROP/pivot exploits on any OS. The EAF mitigation might help if ASLR is enabled... but what is the point if the exploit is able to brute-force through meta-refresh or location header...

    I would say the number of older exploits prevented... number in the hundreds if not thousands. I would further assert that EMET is a 'must-have' for older operating systems such as WindowsXP/server 2003.

    Best Wishes,

    -David Delaune

     

    Friday, November 18, 2011 2:59 PM
  • What system executables do you advocate enabling it for on Windows XP?

    Right now I'm enabling it on Adobe Reader 9, Java, Office 2007, Windows Search 4, and winhelp.exe/winhlp32.exe.


    My idea of a party is a virtualization server and a room of TechNet DVDs
    • Edited by Daniel Wolf Monday, November 28, 2011 10:54 PM
    Monday, November 28, 2011 10:43 PM
  • What system executables do you advocate enabling it for on Windows XP?

    Right now I'm enabling it on Adobe Reader 9, Java, Office 2007, Windows Search 4, and winhelp.exe/winhlp32.exe.


    My idea of a party is a virtualization server and a room of TechNet DVDs

    Hi Daniel,

    I'm not going to point out any specific applications... but I will highlight what I consider high risk groups. The following groups of applications are perfect candidates for protecting with EMET:

    1. Applications that have the ability to access the internet .
    2. Applications that use just-in-time compilation (JIT) should also be protected. (ActionScript,vbscript, javascript for example)
    3. Applications that load unsigned third-party plugins. (ActiveX, DLL add-ons, plug-ins, browser extensions, or browser helper objects for example)

    Best Wishes,

    -David Delaune

    Wednesday, November 30, 2011 10:06 PM
  • Anyone have any examples of EMET protecting against an in-the-wild exploit?
    My idea of a party is a virtualization server and a room of TechNet DVDs


    Hi ,

    how many do you want ?

    works perfect on the system , even better on a honeypot !

    have a nice day

     


    Scan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! 
    Thursday, December 01, 2011 8:29 PM