by Susan Bradley for Windows Secrets Newsletter
Minimizing the threat from zero-day virus exploits
For every zero-day vulnerability we patch, there’s another waiting in the wings — and yet another, no doubt.
One of the better tools for protecting our systems from the new threats is Microsoft’s oddly named Enhanced Mitigation Experience Toolkit.
When hackers create new forms of malware, there’s a (hopefully brief) time during which PCs are open to attack while antivirus companies build and deliver a virus-definition update. Those as-yet unpatched threats are called zero-day exploits, and they’re a constant menace to safe computing. One form of protectionI’ve recommended is to use multiple browsers and keep them up to date. Exploits typically use one specific browser or add-on application such as Java or Adobe Flash. For advanced PC users, I also recommend downloading and using the Enhanced Mitigation Experience Toolkit (EMET).
Simply put, EMET can provide an extra layer of protection until there’s an official patch for a new exploit. It won’t guarantee protection from all vulnerabilities, but it makes it much harder for a cyber criminal to attack you. Microsoft Support article 2458544 explains EMET in detail. As with all AV tools, Microsoft is constantly enhancing EMET and recently released Version 3.5 (Download Center page), which adds four new types of virus-mitigation tools.
If you’re still on Windows XP, there’s a bit of bad news. To use EMET, you must have .NET Framework 2.0 loaded onto your system. (EMET 3.5′s installation process will prompt you to download and install .NET 2.0, if you’ve not already done so.) You can get .NET 2.0 Service Pack 1 at its MS Download Center page.
Windows XP users should also know that EMET is not as effective on that OS as it is on Vista and Windows 7. Natively, Windows XP can’t opt into additional AV protection. Installing EMET will back-port some of the new security technologies found in Windows 7.
For example, EMET will add Structured Exception Handling Overwrite Protection (SEHOP; more info) to Windows XP. First introduced in Windows Vista SP1, this technology is designed to protect systems from vulnerabilities that exploit Structured Exception Handler (SEH) overwrite vulnerabilities (as detailed in MS Support article 956607). An Ethical Hacker blog post showcases an SEH exploit of Yahoo Media Player.
Very simply put, in an SEH attack, a malicious hacker makes a targeted application — such as Yahoo Media Player — fail. Instead of gracefully failing with an error message and running recovery code, the app is tricked into running malicious code planted by the attacker — which in turn gives the attacker control of the machine. EMET can help break that chain of events and keep the cyber criminal from taking over your PC.
Data Execution Protection (DEP) is another mitigation tool that EMET 3.5 adds to Windows XP. Although DEP is built into XP, applications need a special flag in their code to use it. EMET removes the need for the flag.
EMET also blocks heap spraying allocations (Wikipedia definition), another technique used by attackers that makes other exploits more effective.
EMET adds Mandatory Address Space Layout Randomization (ASLR) to Windows XP systems. (It’s built in and enabled in Vista and Windows 7.) ASLR ensures that the memory addresses of stored system modules are randomly generated so that an attacker cannot predict what address space is in use. Randomized memory addresses make it harder for hackers to code effective exploits.
This excerpt appears with permission from Windows Secrets Newsletter.
