EMET - A new Windows security mitigation toolkit

Updated: Protecting your Windows PC with Microsoft EMET 2.1
http://rationallyparanoid.com/articles/microsoft-emet-2.html

 

I have plugin-container.exe and silverlight launcher under EMET protection.Do i need to add flash,activex and shockwave players?

 

Flash is done by the browser process itself(or plugin-container.exe by default for Firefox) so if you add them you're protected against Flash exploits, ActiveX is part of IE, so I think adding iexplore.exe would take care of that. I'm not sure of Shockwave as I don't have it on my pc.
I think those two Flash exe's in your screenshot are the uninstallers

 

Thanks.I have only added plugin-container.exe and just added shockwave.

 

Interesting (and lengthy) article. Reading it now, but so far it just reinforces my thoughts that EMET is awesome.

 

Anyone up for discussing the potential dangers of EMET? =p

 

What dangers? Application crashing? You can always change your settings in EMET

 

Congratulations! This can only improve security for everybody on a wider basis!

 

Care to elaborate?

 

The fact that this program is using .dll injection, increases attack surface, and could potentially be used against the system.

Something like EMET should be handled by the OS.

edit: To clarify, I use EMET and like it quite a lot. I find that it's more of a security boon than a threat, but it's interesting from a theoretical standpoint.

 

No it doesn't. It would increase the attack surface if it was modifying existing or adding new functionality to the original program, code that could potentially be exploited. This isn't the case for EMET.

 

I suppose in theory if I was a MS paranoid, I could try to argue that EMET could be a parasite hiding in plain sight! You can always block all of emet's exe's from accessing the www.

For the record, I don't currently do any of those things.

If you don't trust MS, why use their operating systems?

 

EMET is a userland app - you're actually increasing the attack surface of the system. Instead of just being able to exploit a program and the things it interacts with, you can now exploit those things AND EMET AND anything EMET interacts with.

 

That's completely dependent on the functionality of the program.

Considering EMET is preventing the exploit from functioning, no. Also EMET would need to provide some kind of functionality to the program, to be exploitable in the first place.

If this is a fancy way of saying the exact same thing as the above quote, then the above answer applies.

However I'm not going to argue it with you due to your history of arguing over things you're wrong about.

 

I posted a video in another thread where it was shown to be very effective against a lot of exploits.

 

Your response literally doesn't make sense.

If you're not interested in discussion, that's fine.

edit: I'll actually give it a try. Let me break this down

EMET works in the application level. EMET loads a .dll into programs to change how they behave. EMET is not a catch-all, it will not prevent all exploits, many of the functions of EMET are easily programmatically avoidable -- ASLR is one of the functions that's easily bypassed.

If you are attacked and you have EMET it is possible that someone could exploit EMET and use it against your machine.

The idea that EMET provides no functionality is what makes no sense. I have no idea what you're even trying to say with that.

 

If that was directed at me then I'm sorry you feel that way. Some were saying it doesn't do anything or that it increases the attack surface and I was just pointing out there is a somewhat official video showing it blocking exploits. I posted it in a different thread about EMET. It looks effective to me so long as it is not the only security software you use.

 

It wasn't directed at you.

Here's a quote from a security administrator I know:

"Because I'm a security professional and that's how these schemes always end. If you leave a vector open to modify the underlying functionality of a system (injecting a .dll for example), someone will use it to bypass whatever modifications you've made. If a door is there someone will use it."

 

Thanks for the clarification.

 

I think I understand what it is you're trying to say here.

By installing anything onto a Windows OS that interacts with other components then,in theory,you increase the overall "attack surface".However the quantifiable mitigations offered by EMET against many real-world exploits,need to be weighed up against any theoretical compromise of EMET itself.

 

I've got it! Put EMET in the list so it protects itself!

 

Anytime.

To respond to your post... I find that EMET is far more of a security boon than a security issue. The fact is that it is an application running in user space that's loading .dll's into programs... this is just another attack vector for a userland rootkit to exploit.

EMET should not exist in user space, it should be handled by the kernel.

Still, you can see that I use it. It's not common enough for anyone to worry about yet... but if it were ever packaged with the OS or if everyone started using it you WOULD see it exploited and used against the end-user, that's just how these things work.

edit: @Escaladar

=p yes well if only it were so simple haha

 

Wouldn't that be where some of your other security measures kicked in though? Most people would not just have EMET and nothing else.

 

Depends on the security measures. Of course there are multiple ways to protect your computer.

edit:

@Elapsed -- I'd love to hear what else you think I'm wrong about.