Saturday, September 11, 2010


Funny how sometimes, due to the information overload, we just miss
very interesting stuff being released. Today I was reading an article from the Microsoft Security Research & Defense blog
about how to mitigate the new Adobe exploit with a tool called EMET.
WTF?!?!? I was amazed when I read what EMET is the idea behind it:

Enhanced Mitigation Experience Toolkit

"For those who may be unfamiliar with the tool, EMET provides users
with the ability to deploy security mitigation technologies to
arbitrary applications.  This helps prevent vulnerabilities in those
applications (especially line of business and 3rd party apps) from
successfully being exploited.  By deploying these mitigation
technologies on legacy products, the tool can also help customers
manage risk while they are in the process of transitioning over to
modern, more secure products.  In addition, it makes it easy for
customers to test mitigations against any software and provide
feedback on their experience to the vendor."

Microsoft has developed a series of defenses against the most common
code execution methods used in exploits, such as DEP and ALSR.
However, some of those defenses require that software is recompiled
with new compatible compilers. It seems that some pieces (DLLs) of
Adobe Reader still haven't been recompiled to use ASLR, keeping some
doors open to the exploit writers. So, EMET can be used to force ASLR
to that software even if it was not prepared for that. Of course it
can be deployed by default on everything, as there's a small chance of
breaking stuff, but it is a nice tool for those who want to add some
protection while accepting to have an eventual issue here and there.

Next step from Microsoft could be an automatic assessment on software
installation to verify if EMET is necessary and, if so, keep control
of what is using it so users can try to disable it when an error
occurs. That would be almost transparent while adding a pretty much
amount of security.

Going into the same line, FX announced a great tool to add a layer of
protection for Flash files in Defcon, Blitzableiter. Take a
look at that one too, it can be integrated with Firefox and NoScript,
pretty nice approach.

No comments:

Post a Comment