none
EMET 4.0 Beta Possible Bug: Unsafe System Wide ASLR Always On Available By Default RRS feed

  • General discussion

  • Hi everyone,

    After successfully installing EMET 4.0 Beta on a test version of Windows 7 64 bit SP1, I noticed the following potential issue:

    On page 34 of the EMET 4.0 Beta Users Guide the Unsafe Configurations for System Wide Security settings are discussed. In order to enable these options, a registry key is to contain the following DWORD value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET
    
    EnableUnsafeSettings = 1

    I installed EMET 4.0 Beta and this registry key is set to the default value of 0 but the unsafe options are available to select from within the EMET GUI. Please find below screenshots showing these options and my registry settings:

    Direct Link To Images:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_4_Beta_MaxSettings.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_4_Beta_Reg_Settings.png

    I would suggest the following system wide security settings to be the maximum available while

    EnableUnsafeSettings = 0

    Direct Link To Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_4_Beta_Max_SuggestedSettings.png

     

    Please note that I uninstalled EMET 3.5 Tech Preview, rebooted and deleted the following registry keys before installing EMET 4.0 Beta:

    HKLM\Software\Microsoft\EMET
    HKLM\Software\Policies\Microsoft\EMET

    Is this intended behavior of EMET 4.0 Beta? While the user is warned about setting system wide ASLR to Always On, they may not understand the full effect of the warning i.e. they may consider that an unbootable computer may happen but is not likely to happen:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/ASLRWarning.png

    My test version of Windows 7 64 bit SP1 booted successfully with system wide ASLR set to Always On but I consider such an occurrence an exception rather than a rule since I have read about AMD and Nvidia GPU drivers not being compatible with this setting.

    If I can provide any further information about the above settings, please let me know.

    I have also sent the above suggestion to the EMET Feedback email address as mentioned on Page 40 of the User’s Guide.

    Thank you.

    • Edited by JamesC_836 Friday, April 19, 2013 12:08 PM Minor edits
    Friday, April 19, 2013 10:59 AM

All replies

  • Hi,

    Actually, I just noticed that when the following registry key is set to 1, the unsafe option ("Always on") is not available anymore:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET
    EnableUnsafeSettings = 1

    So it looks like there is a simple boolean negation somewhere.

    Cheers,

    Mike

    Friday, April 19, 2013 2:07 PM
  • Hi Mike,

    That's interesting and it’s something that I should have checked.

    Thanks for pointing this out and for confirming this is not expected behavior.

    • Edited by JamesC_836 Friday, April 19, 2013 2:30 PM
    Friday, April 19, 2013 2:30 PM