Microsoft Releases Application Security Tool Kit for Developers
Microsoft released an updated version of a tool kit Sept. 2 to help developers make their applications more secure.
With the Enhanced Mitigation Experience Toolkit 2, Microsoft said, developers can bring technologies such as dynamic data execution prevention to bear to improve security, particularly for older programs that cannot be recompiled to opt in to the security technologies.
The updated tool kit features a total of six mitigations, including two new ones: Export Address Table Access Filtering and Mandatory Address Space Layout Randomization.
Export Address Table Access Filtering "is designed to break nearly all shellcode in use today" as it "blocks a common technique shellcode uses" to locate Windows APIs, Microsoft said. The Mandatory Address Space Layout Randomization mitigation works by "[forcing] modules to be loaded at randomized addresses for a target process regardless of the flags it was compiled with."
"By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products," said a Microsoft Security Research & Defense post Sept. 2. "In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor."
Secunia security researchers revealed in a July 1 report that many application developers were not taking advantage of protections Microsoft put in place to prevent attacks. According to the Secunia report, many developers have improperly implemented Address Space Layout Randomization in their programs. The report also found developers have done a poor job of implementing Microsoft's DEP (Data Execution Prevention) protections as well.
"I applaud Microsoft for their continued release of tools such as this," Forrester Research analyst Mike Gualtieri said. "Unfortunately, I think is mostly falls on deaf ears since most developers I speak with pay only lip service to the idea of more secure applications."
Microsoft has published a video demonstration of using the tool that can be viewed here.