Tom Olzak

Posts Tagged ‘sehop’

Protecting core productivity apps with EMET

In Uncategorized on October 29, 2009 at 11:02

This week Microsoft released a toolkit designed to help IT professionals protect systems from common threats.  Named the Enhanced Mitigation Evaluation Toolkit (EMET), this little gem is easy to implement, once you install the very small executables on your workstations.

Before I walk you through setting up FireFox, I want to take a minute to tell you why you should care about this.

Why you should care

In its initial release, EMET protects against exploitation of four common attack vectors.  When an application is “configured,” requisite behavior necessary for an effective compromise of a system is blocked.  The following information is from readme.rtf included in the downloadable EMET .zip file:

  1. SEHOP – Structured exception handling (SEH) chain validation breaks SEH overwrite exploitation techniques.
  2. Dynamic DEP – Certain portions of memory are marked as non-executable.  Using EMET, you can target specific applications instead of fighting with compatibility issues caused by setting DEP in the BIOS.
  3. Null page allocation – Attackers are blocked from taking advantage of NULL dereferences in user mode.
  4. Heap spray allocation – Heap spraying involves filling a process’ heap  with specially crafted content to aid system exploitation.  EMET pre-allocates those memory addresses and blocks these attacks.

Although Microsoft hasn’t testing all possible applications, they have successfully tested the following:

  1. iexplore.exe (IE) – although there are apparently some problems getting IE to behave all the time.
  2. winword.exe (Word)
  3. excel.exe
  4. acrord32.exe (Acrobat Reader)
  5. firefox.exe
  6. outlook.exe
  7. powerpnt.exe

The developers of EMET warn it isn’t for everyone.  Since EMET turns off functionality some applications may need to work as expected, it should only be used by IT personnel willing and able to work through possible issues.

Using EMET

Using EMET starts with a quick download of a .zip file.  Extract the file in a folder not generally accessible.  This helps prevent unwanted visitors to the target system from messing with them.

Once I extracted the files on my Windows 7 Ultimate desktop, I was in such a big hurry to start testing I forgot about my “new enhanced” security.  EMET is run from a command prompt and requires elevated privileges.  So my initial run was thwarted until I performed the following steps to bring up a command line window with the proper permissions:

  1. Click Start
  2. Type Command Prompt in the search field.
  3. Right click on Command Prompt at the top of the programs list to bring up the window shown below.


    Figure 1

  4. Click Run as administrator

I then followed the simple example in the readme document to protect FireFox, as shown in Figure 2.



Figure 2

Pressing Enter resulting in a successful run of EMET.  I confirmed this by listing all protected applications.  See Figure 3.


Figure 3

That’s all there is to it.  EMET works with

  • 32-bit Windows XP, Server 2003, Server 2008, Vista and Windows 7
  • 64-bit Vista, Windows 7 and Windows 2008 R2
%d bloggers like this: