Microsoft beefs up anti-exploit tool with tech from $250K contest finalist
EMET 3.5 includes settings inspired by BlueHat Prize finalist Ivan Fratric
Computerworld - Microsoft today launched a security toolkit preview that includes anti-exploit technologies created by one of the three finalists in the company's $250,000 BlueHat Prize contest.
Enhanced Mitigation Experience Toolkit (EMET) 3.5 features new defenses inspired by finalist Ivan Fratric, a researcher at the University of Zagreb in Croatia. The other finalists are Jared DeMott, a security researcher employed by Florida-based Harris Corp., a major defense and aerospace contractor, and Vasilis Pappas, a Ph.D. student at Columbia University.
Microsoft will announce the winners late Thursday at the Black Hat security conference, which kicked off today in Las Vegas and wraps up tomorrow.
"If nothing else the EMET update shows they are committed to taking these ideas and acting on them," said Andrew Storms, director of security operations at nCircle Security, in a Wednesday interview conducted via instant messaging.
EMET, designed for enterprise IT workers and advanced users, lets them manually switch on Windows anti-exploit defenses, such as DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications.
The toolkit is often used to harden older programs and has also been recommended by Microsoft as stop-gap protection. In March 2011, for example, Microsoft told Office customers to run EMET to fend off zero-day attacks until Adobe patched a bug in Flash.
The new EMET, which Microsoft dubbed a "technology preview" to hammer home that the utility wasn't ready for production use, includes five new settings designed to stymie "return-oriented programming" (ROP), an exploit-building technique often used to sidestep DEP.
Many advanced exploits relay on ROP to do their tricks, and the technique has been called the "most pressing attack vector" now facing Windows.
For his BlueHat Prize submission, Fratric created "ROPGuard," a technology that checks each critical function call to determine if it's legitimate.
In an interview last month, Fratric explained ROPGuard.
"Unless [the attacker] wants the attack to stay confined in the current process, [he or she] will need to call some 'special' functions to leverage the attack," Fratric said. "The attacker will need to call these functions from the ROP code, either directly or indirectly, and that makes these functions an ideal place to check if the attack is taking place or not."
Microsoft based the anti-ROP settings in EMET on Fratric's work.
"Ivan's idea was the one that could be mitigated the fastest," said Mike Reavey, senior director of the Microsoft Security Response Center (MSRC), in an interview. "His was very practical."
Reavey cautioned that Fratric was not necessarily the winner of the BlueHat Prize, even though Microsoft chose his technology to deploy first.
Fratric seconded that. "The ease or difficulty of integrating the technology into existing tools does not imply that it is any more or less effective," Fratric said in an email reply to questions today. "According to the criteria that the BlueHat Prize judges used, only 30% of the score was generated based on how 'practical and functional' the entry was. The remaining 70% of the score was given on the basis of 'robustness' and 'impact.'"
But Fratric was still pleased to see Microsoft use his ROPGuard concept in EMET.
"I'm absolutely thrilled," he said. "Building ROPGuard was interesting and it being selected as one of the top three entries in the contest is great, but it's even greater to see an interest to integrate this technology into an actual product and to bring it to the users."
Fratric called EMET the "right first step" in baking anti-ROP technologies like ROPGuard into Windows.
Reavey repeated Microsoft's earlier comment that ROPGuard -- or the technologies crafted by the other finalists, both who also focused on ROP -- would not appear in Windows 8, the upgrade set to launch Oct. 26. "The timing is too tight for Windows 8," said Reavey. "But we we'll continue to look at these ideas."
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts