locked
Feature mapping - EMET vs Windows 10 RRS feed

  • Question

  • If you visit https://isc.sans.edu/forums/diary/VBA+Shellcode+and+EMET/21705/ you will see an example of how EMET protects against malicious Word file behaviour:

    "It will inject shellcode inside the Word process, and this shellcode will lookup the API functions it needs. This behavior will be detected by EMET's Export address table Access Filtering (EAF) and the Word process will be killed."

    This is proof that EMET has a place in a business (and personal) environment.

    However, as per Microsoft official status on https://support.microsoft.com/en-us/kb/2458544, you are going to "kill" EMET..

    End of Life Statement

    We have listened to customers' feedback regarding the January 27, 2017 end of life date for EMET and we are pleased to announce that the end of life date is being extended 18 months. The new end of life date is July 31, 2018. There are no plans to offer support or security patching for EMET after July 31, 2018. For improved security, we recommend that customers migrate to the latest version of Windows 10. 

    Testing on Windows 10 _without_ EMET installed does NOT conclusively prove that the malicious behaviour is blocked.

    And without EMET we have lost all tuning, logging and monitoring functionality?

    Could you elaborate on the migration path that is recommended prior to the End-of-Life for EMET - and document how well you will continue to provide management and logging tools to enterprise administrators?

    Thanks and regards,
    Tor.

    Wednesday, November 16, 2016 8:40 AM

All replies

  • At isc.sans.edu they have continued their testing, and they've proven that shellcode injection works from Word VBA on a Windows 10 system that does NOT run EMET.

    When they install EMET on Windows 10 it blocks the same method, using default settings.

    https://isc.sans.edu/forums/diary/VBA+Shellcode+and+Windows+10/21729/ (THANKS for great support and knowledge sharing as always, handlers @ ISC!)

    This proves that we need EMET in the future as well!

    It's existence is best justified by the words in the User Guide:

    EMET anticipates the most common techniques attackers might use to exploit vulnerabilities in computer systems, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET protects computers even before new and undiscovered threats are addressed by security updates and antimalware software. It helps enterprises and all PC users by protecting against security threats and privacy breaches that can disrupt businesses and daily lives.

    Thanks and regards,
    Tor

    Monday, November 21, 2016 6:28 AM
  • "With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard (CFG) protection for 3rdparty software that may not yet be recompiled using CFG."  from https://blogs.technet.microsoft.com/srd/2016/02/02/enhanced-mitigation-experience-toolkit-emet-version-5-5-is-now-available/.

    Don't believe everything you read, I guess...  It appears Windows 10 includes some, but not all, of EMET.

    John


    John

    Monday, November 21, 2016 4:12 PM
  • The good people at the CERT/CC of Carnegie Mellon University have posted a visualization of what you get with / without EMET. I will point you to their blog for the full story and the visualization; https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html

    I will include their Conclusions and Recommendations:

    While EMET itself is a free tool, successful deployment of it takes some work. But there are rewards to be reaped from this work. From an exploit mitigation perspective, upgrading to Windows 10 is a good idea. Installing EMET with application-specific mitigations configured is also a good idea.

    EMET provides some protection against zero-day vulnerabilities in supported software, as well as forever-day vulnerabilities in unsupported software. If the use of EMET is not possible, then the system-wide mitigations of DEP and ASLR can be applied without EMET.

    Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on.

    Tuesday, November 22, 2016 5:42 AM