EMET 4.0 Released – What’s New?

EMET 4.0  has been released by Microsoft. There are a fair number of changes here.

New User Interface

A new interface allows you to set profiles and quick settings easily.

emet

You’ll notice the new “Wizard” button, which will handle setup entirely for the user. This is great for getting not-so-techy users to install one of the best security programs out there.

Certificate Pinning Support

Certificate pinning is a method in which the operating system matches specific certificates to specific servers. This prevents Man-In-The-Middle attacks that involve using another valid certificate to spoof and intercept the connection. It’s essentially a way to enforce that the site you’re seeing is the site you want to see, and it builds on the CA system. It’s a nice feature, though it is already supported by Chrome and probably Firefox as far as I know.

Users can also add their own certificate verification rules, which is great for anyone who visits sites that use self signed signatures.

Improved Anti-ROP

The anti-ROP (return oriented programming) mitigation techniques built into EMET 3.5 are now improved for a broader scope. This will prevent new attacks that rely on Return Oriented Programming to bypass DEP. When these methods were first implemented I pointed out the flaws, and these same flaws were later demonstrated by various researchers. We’ll see how these improvements have changed things, if at all.

[…]instead of hooking and protecting only functions at the kernel32!VirtualAlloc layer of the call stack, EMET 4.0 will additional hook lower level functions such as kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory.

Multiple other improvements have been added to address specific issues/ bypasses.

Note that these new features will now also send back a report via the Windows Error Reporting services, with information about exploit attempts on your system.

Default Settings Changed

A really nice feature is that after installation EMET will configure specific apps that Microsoft has tested for compatibility to be enabled. That means that by default you’re protected against a large number of threats, just by installing EMET and doing nothing else. Hugely beneficial.

Download:

http://www.microsoft.com/en-us/download/details.aspx?id=39273

For more information on EMET see:

http://www.insanitybit.com/2013/03/03/emet-the-enhanced-mitigation-experience-toolkit/

For a guide to set EMET up see:

http://www.insanitybit.com/2012/07/26/setting-up-emet-3-5-tech-preview-9-2/

 

Note that while the guide for set up is for EMET 3.5 it is still almost entirely the same procedure.

8 thoughts on “EMET 4.0 Released – What’s New?

  1. I’m glad that MS is actively updating this invaluable tool. Standard account + SRP/Applocker or Parental Controls + AV doesn’t cut it anymore for complete protection. What an improvement for EMET 4. I got it up and running in a minute or two, just added a few apps (PS C6 & Autocad wasn’t in the list). Got to enforce AlwaysOn ASLR for every application, and fortunately my old ATI HD4200 GPU cooperated. Honestly, I wasn’t expecting the laptop to boot upon restart haha… Win 8 PRO running with EMET 4 & SRP for almost half a day with Word2013, Outlook, Winamp, PS, Chrome, Truecrypt, and several other apps and not a single error prompt. Haven’t checked the events log yet though. Well, I got to commend ATI for not botching up the driver for windows 8. Anyway, thanks for your EMET guide, used it to easily deploy on all 4 notebooks at home. Now only if IT personnel will listen to me to have it deployed in the office…

    • IT guys don’t always focus on security, or even care about it. Uptime is often the most important factor for them, and EMET can threaten that.

      But it’s a wonderful tool and I’m glad to see they continue to keep it up to date as well.

  2. Pingback: Setting Up EMET 3.5 Tech Preview » InsanityBit InsanityBit

  3. Has MS changed the format of the import/export XMLs? With 4.0beta, I got a lot of errors and warnings. Thank you for all your work!

    • Not sure. You could try removing your current settings and importing again from their provided list.

      • Thanks. That’s exactly what worked. Still get the pop-up every time EMET 4 beta starts, saying EMET agent not running. (Even when I open the window from the agent in the tray!)

  4. Pingback: Microsoft's Security Bounty Program - InsanityBit

  5. Pingback: ExploitShield - Smart AntiExecutable - InsanityBit

Leave a Reply

Your email address will not be published. Required fields are marked *