Microsoft today released the Enhanced Mitigation Experience Toolkit (EMET), a new tool to help IT administrators send anti-exploit mitigations like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) to older versions of Windows.
Older Windows Systems, open to vulnerabilities
Address space layout randomization (ASLR) is a security technique which works by randomly re-arranging the positions of key data area. This usually includes the base of the executable plus the position of , heap, libraries and the stack, which is found in a process‘s address space.
Address space randomization is a process that blocks some types of security attacks by making it more difficult for an attacker to predict target addresses.
Data Execution Prevention (DEP), on the other hand, is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system.
he EMET tool, works by applying security mitigation technologies to random applications in order to block exploitations that occur through common attack protocols.
It will also add anti-exploit mitigations to existing third-party software that do not currently use mitigation offerings. This feature comes in addition to implementing ASLR and DEP on older versions of the Windows operating system.
There are several features that it has.
* “Structured Error Handling Overwrite Protection (SEHOP) prevents Structured Exception Handling (SEH) overwrite exploitation by performing SEH chain validation.
* Mandatory address space layout randomization (ASLR), as well as non-ASLR-aware modules on Windows Vista, Windows Server 2008 and Windows 7.
* Dynamic Data Execution Prevention marks portions of a process’s memory non-executable, making it difficult to exploit memory corruption vulnerabilities.
* NULL page allocation allocates the first page of memory before program initialization and blocks attackers from taking advantage of NULL references in user mode.
* Heap Spray Allocation pre-allocates memory addresses to block common attacks that fill a process’s heap with specially crafted content.
* Export address table (EAT) uses hardware breakpoints to filter access to the EAT of kernel32.dll and ntdll.dll, blocks access if the instruction pointer is not inside a module, and breaks current common metasploit shellcodes.”
Source http://www.windows7news.com/
