Protecting PCs from the next zero-day threat

Susan Bradley

For every zero-day vulnerability we patch, there’s another waiting in the wings — and yet another, no doubt.

One of the better tools for protecting our systems from the new threats is Microsoft’s oddly named Enhanced Mitigation Experience Toolkit.

Minimizing the threat from zero-day exploits

When hackers create new forms of malware, there’s a (hopefully brief) time during which PCs are open to attack while antivirus companies build and deliver a virus-definition update. Those as-yet unpatched threats are called zero-day exploits, and they’re a constant menace to safe computing. One form of protection I’ve recommended is to use multiple browsers and keep them up to date. Exploits typically use one specific browser or add-on application such as Java or Adobe Flash. For advanced PC users, I also recommend downloading and using the Enhanced Mitigation Experience Toolkit (EMET).

Simply put, EMET can provide an extra layer of protection until there’s an official patch for a new exploit. It won’t guarantee protection from all vulnerabilities, but it makes it much harder for a cyber criminal to attack you. Microsoft Support article 2458544 explains EMET in detail. As with all AV tools, Microsoft is constantly enhancing EMET and recently released Version 3.5 (Download Center page), which adds four new types of virus-mitigation tools.

If you’re still on Windows XP, there’s a bit of bad news. To use EMET, you must have .NET Framework 2.0 loaded onto your system. (EMET 3.5’s installation process will prompt you to download and install .NET 2.0, if you’ve not already done so.) You can get .NET 2.0 Service Pack 1 at its MS Download Center page.

Windows XP users should also know that EMET is not as effective on that OS as it is on Vista and Windows 7. Natively, Windows XP can’t opt into additional AV protection. Installing EMET will back-port some of the new security technologies found in Windows 7.

For example, EMET will add Structured Exception Handling Overwrite Protection (SEHOP; more info) to Windows XP. First introduced in Windows Vista SP1, this technology is designed to protect systems from vulnerabilities that exploit Structured Exception Handler (SEH) overwrite vulnerabilities (as detailed in MS Support article 956607). An Ethical Hacker blog post showcases an SEH exploit of Yahoo Media Player.

Very simply put, in an SEH attack, a malicious hacker makes a targeted application — such as Yahoo Media Player — fail. Instead of gracefully failing with an error message and running recovery code, the app is tricked into running malicious code planted by the attacker — which in turn gives the attacker control of the machine. EMET can help break that chain of events and keep the cyber criminal from taking over your PC.

Data Execution Protection (DEP) is another mitigation tool that EMET 3.5 adds to Windows XP. Although DEP is built into XP, applications need a special flag in their code to use it. EMET removes the need for the flag.

EMET also blocks heap spraying allocations (Wikipedia definition), another technique used by attackers that makes other exploits more effective.

EMET adds Mandatory Address Space Layout Randomization (ASLR) to Windows XP systems. (It’s built in and enabled in Vista and Windows 7.) ASLR ensures that the memory addresses of stored system modules are randomly generated so that an attacker cannot predict what address space is in use. Randomized memory addresses make it harder for hackers to code effective exploits.

Installing and using EMET Version 3.5

The annual Black Hat security conference in Las Vegas always showcases new exploits. One of those revelations prompted Microsoft to add Return Orientated Programming (ROP) mitigations to EMET 3.5. In ROPs (Wikipedia definition), hackers use machine code that’s already in Windows to take control; they don’t have to insert their own code to launch an attack. A Microsoft Security Research & Defense post gives the technical details about the new mitigations.

To install and use EMET, start by downloading it from its Microsoft Download Center site. As already noted, Windows XP users will have to install .NET Framework 2.0 SP1 (site) first. Although EMET protects both 32-bit and 64-bit systems, the interface is a 32-bit app. Once EMET is installed, launch the interface to begin the customization steps discussed below.

First, however, a word of caution. EMET’s mitigations do not play well with some applications. You should have no problems running Internet Explorer with EMET’s default settings. But go slowly when adding EMET protection to other applications. If the default settings work well on your system, branch out and either create your own custom list of protected apps or use the included .xml file that lists Office and many third-party programs.

With EMET installed, launch it by going to its folder in All Programs. You’ll next see the EMET console.

On XP systems, you’ll find that DEP is set to Opt In by default; SEHOP and ASLR are unavailable (see Figure 1). Click Configure System to change the default settings. Pull down on the Profile Name list and choose Recommended Security Settings. Test these with your important apps and websites; if there’s a problem with either, a small error message should pop up. If there are no issues, try again with Maximum Security Settings.

EMET XP settings

Figure 1. On XP systems, start EMET protection with Recommended Security Settings.

Now let’s customize the application settings. In the EMET console, click on Configure Apps. An Import Settings file-open box will appear, as shown in Figure 2. You can either use it to browse to an application’s security-profile folder or click File/Import at the top of the Application Configuration window and then browse to where EMET is installed.

On 32-bit systems, it will be: C:\program files\EMET (Tech Preview)

On 64-bit systems it’s C:\program files (x86)\EMET (Tech Preview)

Now browse to the Deployment/Protection profiles folder.

Protection Profiles

Figure 2. Use the Configure Apps option to protect specific programs from zero-day threats.

You’ll see three configuration files: All, which has a list of common applications on the system; Internet Explorer, which sets up the defaults for protecting IE; and Office Software, which obviously protects Office applications.

For now, just choose Internet Explorer and click Open. Ensure that all checkboxes are selected, click Okay, and close the EMET console. Reboot your system.

Now test your important websites (such as online banking) and all critical applications you use. Confirm that they work as they should. If they do, leave EMET with your current settings. If something fails, go back into EMET and, in Configure Applications, remove iexplore.exe protection.

You can confirm that EMET is protecting Internet Explorer by opening an IE session and then the EMET console. If EMET is protecting IE, you’ll see green dots next to the IE processes listed in the console, as shown in Figure 3.

Green dot mean protected

Figure 3. Green dots indicate that EMET is protecting an IE session.

EMET works with Windows XP, Vista, and Win7. However, Windows XP users should not expect that EMET will make the OS bulletproof. Vista and Windows 7 have additional protections that can’t be ported back to XP. For example, Windows 7 has DEP enabled for all applications, and the entire system can be made to opt into SEHOP and ASLR. Adding EMET to Windows 7 is like icing on the secure cake; EMET with Windows XP is more like adding major ingredients. But it’s still not going to be perfect.

I’m currently rolling out EMET within my firm, using Windows Group Policy. I’m also installing this on all my personal computers at home. Soon, I’ll test EMET protection for virus-prone applications such as Adobe Reader and Acrobat.

During the last IE zero-day threat, a Microsoft Security Research & Defense blog recommended: “If you have already deployed EMET in your environment, ensure that the Mandatory ASLR mitigation — at least — is enabled for Internet Explorer to raise the bar for attackers by blocking current exploits and introducing an additional cost factor in exploit development.” I plan to leave this setting in place to better protect myself when I use IE.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

= Paid content

All Windows Secrets articles posted on 2012-09-26:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.