News

Microsoft Offers Mitigation Security Tool for ISVs

• By Jabulani Leffall
• October 29, 2009

Microsoft wants you to know that even as you read this article, "people around the world are hunting for vulnerabilities in software applications."

To help thwart such efforts, Microsoft this week announced a new mitigation security utility for application developers and IT professionals. The Enhanced Mitigation Evaluation Toolkit (EMET), currently at Version 1.0.2, is conceived as an "extensible framework" that will include future mitigation technologies as they are released, according to a Microsoft blog.

This EMET release contains just four mitigations: dynamic data execution prevention, heap spray allocation, NULL page allocation and structured exception handing. EMET users can opt into these mitigations for their applications by using the command line in the utility. Users don't have to have to recompile their applications after using the tool, according to the blog.

EMET is the latest component in Microsoft's overall Security Development Lifecycle strategy. It allows developers to write security into applications at a more granular or "command-line" level. Thus, instead of securing an entire application, programmers can code security parameters into a single process.

Security mavens like the idea of going deep into the anatomy of an application rather than just relying on anti-virus software or operating system security functions. For instance, Phil Lieberman, president of Lieberman Software, called EMET "a good value-add for Microsoft ISVs [independent software vendors]."

EMET allows Windows enterprise pros to "harden their applications for free," which is "always a good price," Lieberman said.

"This adds an extra post-production step that allows ISVs to make it much harder for hackers to exploit their applications," he added. "The extra post-production step hardens the rules for memory usage (finer grained protection) and also strengthens the exception mechanisms."

As hackers begin to focus more on specific applications, developers have begun to pay more attention to embedded security. EMET is worth a try in the face of server attacks, automated bugs, browser attacks and stack-buffer overflow exploits, according to Andrew Storms.

"Every third-party partner, application developer or part time coder should at least consider checking out the new EMET from Microsoft," said Storms, director of security at nCircle. "The toolkit makes it even easier to utilize the newest security enhancement mitigations built into the newer Microsoft operating systems."

EMET Version 1.0.2 can be accessed at the Microsoft Download Center here.