Sunday, September 12, 2010

Microsoft's Enhanced Mitigation Experience Toolkit

A week ago Microsoft released version 2.0 of EMET (Enhanced Mitigation Experience Toolkit):

Don't know what EMET is? I highly suggest you use it to launch applications that talk on the Net, in particular your browser. Here's a very technical video from Microsoft that talks about EMET:

Let me give you a sample scenario. You visit a legitimate site that you've used for ages which unbeknownst to you, ads being served up are coming from a compromised ad server (a scenario which by the way has happened many times). The malware then attempts to leverage an arbitrary code execution flaw. Unfortunately for you, you're not very diligent about keeping your system up to date or you've ignored updating your system because well, "I'll do it later." Malware sent your way succeeds in leveraging an arbitrary code execution flaw that just surfaced with your browser of choice two days ago installing a backdoor and thus gaining complete control of your computer at which point the remote attacker can take whatever files they please, use your computer as part of a spam network, denial of service network, etc, etc. In short, your system is completely at someone else's mercy and you don't even know it. Let's take a more optimistic scenario. You're on a fully patched Windows 7 system with UAC enabled so you're safe (usually) from getting your machine taken over but malware comes in through your browser which isn't patched. You don't have the latest browser revision because you've put it off, turned off auto-updates or worse, there's no patch for an exploit that has surfaced. You're then unfortunate enough to visit a site with malware and a recent exploit is leveraged introducing rogue code into your system. That code is at the very least capable of reading and modifying files you use day to day. Whether they be explicit documents (such as MS Word) or implicit documents (the cookies in your browser). Unfortunately, your browser doesn't prevent the malicious code from reading any file(s) belonging to you, in particular, browser cookies. After which, someone starts going into your various online accounts with your active cookies (which were conveniently sent to them over the Net) to see what they can find.

So how do you use EMET?

1) Go to the first link I provided - download and install EMET
2) After launching EMET hit the Configure Apps button in the lower right
3) Hit the Add button on the dialog box that comes up and specify the path to an executable you would like to protect, e.g.:

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

4) Hit the Open button on the file browsing dialog (aka OK).
5) Restart the application in question, in this example, Firefox

(Look at blog post image)

Firefox is now protected from a variety of attack vectors often used in arbitrary code execution. The video elaborates on them quite well.

Whereas RemoveAdmin (a security tool that I authored) is all about leveraging OS level security, Microsoft's EMET is about maintaining the integrity of processes and thus, at the very least, providing application level security, e.g., your browser cookies. At worst, if you have an unpatched system (the OS) you could find yourself with a system that's been botted, has had a keyboard logger installed, etc., etc.

In my particular case, I not only have added the browsers I use day to day to EMET (Chrome, Firefox), I've added all applications I regularly use that talk on the Internet. In particular, iTunes, WinAmp, Outlook, Adobe's PDF reader, Windows' Media Player and Apple's QuickTime player. The links I've provided in the previous sentence point to security advisories for each of these applications they are not links to the products' respective web pages. If you have doubts about what I'm saying, just visits those links. Yes, as hard as it for a lay person to comprehend, you can have your system compromised by watching a video pulled off a web site. This is why you should start using EMET today. In short, I will never launch my browser from here on out without this tool.

Finally the following article surfaced after my initial blog post. Here's a scenario where an exploit of Adobe's PDF reader has surfaced, Adobe itself doesn't yet have a patch but through the use of EMET the exploit is short-circuited:

No comments: