
Windows 10 Cannot Protect Insecure Applications Like EMET Can - doener
https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html
======
ryuuchin
You can control almost all EMET mitigations except for the ROP and EAF
protections through IFEO (Image File Executable Options). There's also the
cert pinning but I believe that was only useful for IE. There are also other
Windows 10 specific mitigations that don't exist in EMET which can also be
controlled this way. The main selling point of EMET was that it did not
require recompilation. Luckily you can still control most of these mitigations
through IFEO (see below) which does not require recompilation.

EAF uses debug registers which limits its usefulness and the ROP mitigations
are becoming less useful because of CFG (control flow guard). Although the
latter does require applications to be recompiled with the latest Visual
Studio (and Opt-In to using CFG which is not enabled by default). It's not
really surprising seeing Microsoft retire EMET considering you can get nearly
the same kind of coverage on a vanilla Windows 10 install.

I made a rough guide as to the layout of the MitigationOptions QWORD which
controls these mitigations:

[https://theryuu.github.io/ifeo-
mitigationoptions.txt](https://theryuu.github.io/ifeo-mitigationoptions.txt)

There are Microsoft provided functions which can also enable these
mitigations[1][2] when compiled into the code. Also lets not forget that for
now EMET still works fine with Windows 10.

[1] [https://msdn.microsoft.com/en-
us/library/windows/desktop/ms6...](https://msdn.microsoft.com/en-
us/library/windows/desktop/ms686880%28v=vs.85%29.aspx)

[2] [https://msdn.microsoft.com/en-
us/library/windows/desktop/hh7...](https://msdn.microsoft.com/en-
us/library/windows/desktop/hh769088%28v=vs.85%29.aspx)

------
sergers
down for me.

cache:
[https://webcache.googleusercontent.com/search?q=cache:e1CDpJ...](https://webcache.googleusercontent.com/search?q=cache:e1CDpJgvQ20J:https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-
protect-insecure-applications-like-emet-can.html+&cd=1&hl=en&ct=clnk&gl=us)

not sure when it was original posted, as its noted there is an update today
Nov 21st 2016, and that is the same date of the article.

basically, Windows 10 doesnt use EMET, and MS claims its because Windows 10
has other mitigation techniques making it more secure. however, as per the
article, there are many mitigation steps not included, and many require
application to be compiled specifically for EMET replacement mechanisms.

the update to the article today is Windows 10 support more than previously in
latest release, however still doesn't support everything EMET provides.

~~~
CPAhem
Microsoft is discontinuing EMET next year.

This is a pity, as it allows Windows 7 and 8 users to protect apps against all
sorts of exploits.

Perhaps MS wants to up the pressure to upgrade to Windows 10?

~~~
tammer
EMET is a complex service that requires a small dedicated team to functionally
operate at organizations of any size. Its simply too hard of a sell to all but
the most security-focused enterprises, and the resources that go into it would
be better utilized on regular systems security.

~~~
blackflame7000
I can tell you that the US Military uses EMET so resources are certainly not a
problem.

~~~
Godel_unicode
I've heard that the roll out was incredibly painful, as evidenced by the
repeated change of the STIG controls from required to optional and back.

------
drzaiusapelord
The latest major Windows 10 update added more EMET features. I imagine by the
time EMET is retired, it'll have everything. Retiring EMET seems to be another
underhanded trick by MS to get everyone off Win7 and onto 10. Enterprise that
depends on it for security will be forced to move sooner than planned, or at
least, not be allowed to skip 10 as by the time Windows 11 comes out, 7 will
be out of support for quite some time.

~~~
derefr
> not be allowed to skip 10 as by the time Windows 11 comes out...

I thought Microsoft had claimed that there will be no more versions of
Windows, only updates to 10.

~~~
mtgx
Since there will be "no more versions of Windows" and "only updates to Windows
10", I'm curious how Microsoft will handle getting customers to "pay for
Windows upgrades".

I assume either that assumption is false, and this is just another bait and
switch from Microsoft, and they _will_ make customers pay for "big updates"
for Windows 10 in the future - or they will try to at least transition
businesses to a subscription for Windows.

They're already seeding the idea that Windows 10 updates will not be free
forever to unsuspecting tech writers by getting them to push headlines such as
"Next Major Update Of Windows 10 Will Arrive In Month X, _For Free_ "

First off, everyone already assumes that Windows 10 updates would be free,
since Windows "updates" have always been free - so why even bother to put such
a "useless" fact in a word-constraint headline? The only explanation is that
they're trying to prepare the public for when Windows 10 updates will not be
free, and make them think "Oh, so the version after _that_ may not be free
anymore?!" and set that expectation.

~~~
mavhc
Either you pay a yearly subscription for Windows Enterprise, or you get ads

~~~
mtgx
Why not both? At least they're pushing them to the Pro version [1], as
Microsoft seems to be trying to turn it into a more expensive "Home Premium",
leaving professionals with only the most expensive Enterprise version as an
option [2].

[1] [http://www.infoworld.com/article/3101947/microsoft-
windows/m...](http://www.infoworld.com/article/3101947/microsoft-windows/more-
forced-advertising-creeps-into-windows-10-pro.html)

[2] [http://www.ghacks.net/2016/07/28/microsoft-removes-
policies-...](http://www.ghacks.net/2016/07/28/microsoft-removes-policies-
windows-10-pro/)

------
ninjakeyboard
I had to read the headline 7 times to understand the message.

~~~
jeffmcjunkin
"Windows 10's protections are an inconvenient subset of EMET's"

------
rincebrain
My initial interpretation, when I had heard about the EMET EOL, was that
Microsoft was doing it as a way to spin removing dev effort from EMET into
leveraging people onto Windows 10.

Now I'm not sure - Windows 10 doesn't have the full featureset, and I don't
_think_ Microsoft is likely to actually introduce the entire featureset into
Windows 10 with much lead time before the EOL.

If they do, though, it would certainly be a nice carrot AND stick to get
people up to at least a certain update version for that functionality.

~~~
ryuuchin
I think the featureset that Windows 10 provides is good enough as an
alternative (see my top level comment[1]). EAF was never that useful because
it uses debug registers and the ROP protections have been "replaced" by CFG
(control flow guard). Everything else is provided by a vanilla Windows 10
install.

The usefulness of the EMET protections were that they could be used without
having to recompile an application where protections like CFG do require
recompilation with the latest Visual Studio (and for you to Opt-In to CFG).

[1]
[https://news.ycombinator.com/item?id=13011211](https://news.ycombinator.com/item?id=13011211)

~~~
rincebrain
Yeah, but as your comment says, for me, a lot of the value was in adding
mitigations for applications that were not pre-compiled with said options.

Yes, some of them can be manually twiddled without recompilation, but it's not
nearly as convenient to manage or deploy (though one imagines a GPO template
to do all of the heavy lifting that's doable via IFEO would be a feasible
thing), and for anyone not using GPOs, then you're reimplementing a poor
subset of the EMET GUI over the IFEO parameters.

~~~
ryuuchin
> poor subset of the EMET GUI over the IFEO parameters.

Is it really though? I guess it depends how much value you place on the EAF
and ROP protections. Personally I wouldn't place too much weight on them.

------
reiichiroh
Palo Alto Traps also covers anti-exploit but I expect that this functionality
is something vendors will be building into their upcoming security suites.

------
reiichiroh
If you're looking for a commercial consumer product that blocks a superset of
the exploits blocked by EMET, try HitmanPro Alert.

