Microsoft Takes Aim at Java Security With EMET 5

Microsoft is improving its Enhanced Mitigation Experience Toolkit with the introduction of new attack surface reduction techniques.

SAN FRANCISCO—Microsoft today announced a technical preview of version 5 of its Enhanced Mitigation Experience Toolkit (EMET), providing new security protection for Java as well as Microsoft Office.

In an interview at the RSA Conference here, Jonathan Ness, principal security development lead at Microsoft's Security Response Center (MSRC), explained to eWEEK that the goal of the new release is to reduce the attack surface for Microsoft software users. EMET is designed to provide an additional layer of security to applications to reduce the risk of exploitation.

The new mitigations include protection for potential security issues in Oracle Java, which is one of the most often attacked applications on the client side. A recent study from Cisco indicated that Java was part of 91 percent of all exploits seen in 2013.

Inside of EMET 5.0, the new Java control works with Microsoft's Internet Explorer (IE ) Web browser and its concept of zone files. IE has local network and external network zones that EMET is now leveraging to lock down Java. Java files running on the internal zone, for example, can now be permitted to run, while external Java can be blocked.

"A lot of times people just don't need Java out on the Internet but they need it for their line-of-business applications and intranet sites," Ness said.

In addition to Java, Microsoft has also seen exploits hit enterprises by way of malicious Adobe Flash files, often connected to Microsoft Office documents, Ness said. To reduce the risk of that attack, EMET can now also block Office from calling a Flash file.


EMET now also introduces an enhanced version of its Export Address Table Filtering (EAF) technology. Ness explained that EAF blocks the mechanism that exploits use to jump into system-provided functionality. The new version of EAF takes advantage of lessons that Microsoft has learned from past exploitations of its software offerings.

EAF is a different type of attack mitigation than Data Execution Protection (DEP), which is another technology from Microsoft that aims to reduce the potential attack surface. Ness explained that EAF operates at a more granular level of system operations.

"EAF looks ahead and attempts to predict what system calls a given piece of code will make and then evaluates if that is appropriate for a legitimate application," Ness said. "In contrast, DEP just makes a whole region of system memory unexecutable."

Earlier this week, security research firm Bromium detailed how it could potentially bypass protections in the current EMET 4.1 release. Ness said he appreciated the Bromium efforts as it will serve to make EMET 5 and future releases better.

EMET is an optional download for Microsoft Windows users and, as such, is not on all Microsoft Windows installations by default. That said, Ness said that innovations that first debut in EMET do in fact eventually land in Microsoft's operating systems.

"What we really want to do is to take those mitigations that we're trying out in EMET and put them into Windows," Ness said. "Window 8.1 has mitigations in it that first appeared in earlier versions of EMET."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.