Windows 10 still needs EMET exploit protection, US CERT tells Microsoft

Should Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) security software stay or go?

It’s a question everyone thought settled when Microsoft recently confirmed plans to end support for the enterprise anti-exploit tool in July 2018, 18 months later than originally planned.

Now this timeline has hit opposition in the form of Will Dormann, an engineer at Carnegie-Mellon University’s CERT/CC, who has published a blog arguing the case for continuing to use it with Windows 10, which is not supposed to need it.

Launched in 2009, EMET is a free tool designed to boost the resistance of all versions of Windows from XP SP3 onwards against complex threats such as zero-day vulnerabilities.

Microsoft gradually improved the tool before integrating many of its features into Windows 10, apparently negating the need to use it with the new OS.

EMET features now built into Windows 10 include Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR), and Control Flow Guard (CFG).

It sounds like an open and shut case, but in an unusually blunt assessment, Dormann finds an important flaw in Microsoft’s argument:

“Windows 10 does indeed provide some nice exploit mitigations. The problem is that the software that you are running needs to be specifically compiled to take advantage of them.”

Put simply, adding protection to Windows 10 doesn’t necessarily mean that the applications running on it will be secure against the same set of exploits.

These will mostly be older third-party and custom enterprise applications but even Microsoft’s own still widely used Office 2010 lacks full compatibility with established protections such as ASLR, said Dormann.

And some applications that can be protected by Windows 10 and Windows Server 2016 still require admins to fiddle with the registry on a process-by-process basis.

For the mostly business EMET user base, the sudden difference of opinion will sound pretty confusing.

The views of Carnegie Mellon CERT/CC matter because it (along with sister organisation US-CERT) is tasked by the US Department of Homeland Security with making security recommendations of national significance.

The fact that one of its senior engineers believes that Windows 10 is best used in conjunction with EMET will raise questions about the Microsoft’s July 2018 retirement date.

The counter-argument is that the Microsoft’s Windows as a Service development model, enabled by Windows 10, should allow new EMET protections to be added by then.

Ironically, the biggest argument on Redmond’s side is simply that EMET often doesn’t work as well as advertised, something the company was at pains to point out when announcing its revised timetable.

As operating system security specialist Jeffrey Sutherland made clear: “For improved security, our recommendation is for customers to migrate to Windows 10.”

That advice is unlikely to change. Customers running EMET on Windows 7 and 8.1, consider yourself warned.