Goodbye EMET, hello WDAG and the Fall Creators Update

It’s July 2018, which means EMET end of life is imminent. If you are using EMET currently, in all likelyhood it will probably work fairly well past the end of this month, but consider your upgrade options now.

Microsoft have timed the EOL of EMET to coincide with the release of the 1709 Fall Creators Update for Windows 10 (and equivalent server operating systems) that includes WDAG. This is the most sensible upgrade path for many users. Even if you don’t currently deploy EMET, you should consider a Windows 1709 upgrade as you’ll get a lot of security benefits for free.

EMET has had a strong following, and practitioners have taken it up rapidly, so much so the extensions to the support horizon for EMET are reportedly down to calls from system administrators.

Rapid7 have some good words to say about EMET, though equally a leading vulnerability research outfit has unearthed some of the weaknesses of the more recent releases of EMET.

Weaknesses of EMET are widely known, but NCSC have continued to recommend its use and for good reason: it does add more defences and does raise the bar for potential attackers, particularly the later versions of EMET that address some vulnerabilities in EMET itself.

Back in April, NCSC released an interesting blog entry on the Windows Fall Creator update 1709. With growing interest in Windows 10 adoption, it’s a good idea to take a look at their EUD configuration guide for Windows 10.

If you are using EMET on Windows 10 pre-1709, when you upgrade to 1709 it will automatically uninstall EMET.

What’s the new offering going to do in terms of systems security? Running untrusted web sites within Hyper-V virtualisation is a great benefit with WDAG, and under the hood there are numerous security innovations in Windows 10.

Perhaps the single biggest benefit is the integration of EMET functionalities into the OS, removing a number of critical weaknesses of EMET use and putting system hardening into the OS ‘by default’.

If you have an opportunity to upgrade without any compatibility concerns, considering an upgrade to Windows 10 is something I recommend.

Q: can I install EMET now that it is end of life?

This is a fair question. Using obsolete or unsupported software is very poor INFOSEC, so it’s probably no surprise that my general advice is not to use software that falls into that category.

In the past EMET has suffered from vulnerabilities, and there is no guarantee that it will not run up against new exploits in the future. You should at a minimum carry out a comprehensive review of new vulnerabilities, and probably combine a large deployment with a reputable pen test. Risk assess it to get the best answer for your particular situation.

Q: can EMET be uninstalled as a stop-gap measure?

Risk assess it! EMET can be uninstalled, and you might find that is a sensible strategy in the short term. Ensure any non-EMET systems are hardened using NCSC guidance, and enable some of the OS capabilities EMET automatically enables (such as DEP on an opt-out basis). Check binaries of applications, particularly those that process untrusted data and/or have network connectivity, to see if they make use of DEP, because even if you enable it binaries can opt out if they are not compatible.

There are lots of tools and scripting options to check binaries for ASLR, DEP and other capabilities on PE executables, and you should check these thoroughly. If you find binaries that do not support ASLR and DEP, consider your options and maybe switch to a competitor product.