EMET 5.5 went into beta
Microsoft has released EMET 5.5 beta [ 1 , 2 , 3 , 4 , 5 ]. The new version of EMET received support for Windows 10, as well as a new security feature. This is a new anti-exploitation mechanism called “Block Untrusted Fonts”, which blocks the loading of extraneous font files into memory. In a special way, generated TTF files are used by exploits to trigger vulnerabilities in the win32k.sys driver, which is used by attackers to bypass the sandbox mechanism of modern web browsers and then obtain maximum SYSTEM rights in the system.
EMET is not a HIPS type tool and does not allow users to protect the system from such operations as embedding extraneous code into processes or directly blocking the performance of various system operations. Instead, its security features are aimed at blocking the actions of the Remote Code Execution (RCE) exploits, which are the initial link in the chain of cybercriminals' actions on the automatic delivery and execution of malicious code on the user's system (drive-by download).
')
Fig. Interface EMET 5.5 beta.
In fact, the “Block Untrusted Fonts” function is a built-in security feature that appeared in Windows 10 and belongs to the so-called set. exploit mitigation functions. The API function SetProcessMitigationPolicy with the ProcessFontDisablePolicy argument (kernel32.dll) can be used to activate a function in the OS for a process. The function can also be enabled for the entire system, i.e. all processes (disabled by default); the registry key HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Kernel \ and the MitigationOptions parameter are used for this, for more details see Block untrusted fonts in an enterprise .
Fig. The "Block Untrusted Fonts" feature can be activated for the selected application.
Download EMET at this link .
be secure.
EMET is not a HIPS type tool and does not allow users to protect the system from such operations as embedding extraneous code into processes or directly blocking the performance of various system operations. Instead, its security features are aimed at blocking the actions of the Remote Code Execution (RCE) exploits, which are the initial link in the chain of cybercriminals' actions on the automatic delivery and execution of malicious code on the user's system (drive-by download).
')
Fig. Interface EMET 5.5 beta.
In fact, the “Block Untrusted Fonts” function is a built-in security feature that appeared in Windows 10 and belongs to the so-called set. exploit mitigation functions. The API function SetProcessMitigationPolicy with the ProcessFontDisablePolicy argument (kernel32.dll) can be used to activate a function in the OS for a process. The function can also be enabled for the entire system, i.e. all processes (disabled by default); the registry key HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Kernel \ and the MitigationOptions parameter are used for this, for more details see Block untrusted fonts in an enterprise .
Fig. The "Block Untrusted Fonts" feature can be activated for the selected application.
Download EMET at this link .
be secure.
Source: https://habr.com/ru/post/268165/
All Articles