You can control almost all EMET mitigations except for the ROP and EAF protections through IFEO (Image File Executable Options). There's also the cert pinning but I believe that was only useful for IE. There are also other Windows 10 specific mitigations that don't exist in EMET which can also be controlled this way. The main selling point of EMET was that it did not require recompilation. Luckily you can still control most of these mitigations through IFEO (see below) which does not require recompilation.
EAF uses debug registers which limits its usefulness and the ROP mitigations are becoming less useful because of CFG (control flow guard). Although the latter does require applications to be recompiled with the latest Visual Studio (and Opt-In to using CFG which is not enabled by default). It's not really surprising seeing Microsoft retire EMET considering you can get nearly the same kind of coverage on a vanilla Windows 10 install.
I made a rough guide as to the layout of the MitigationOptions QWORD which controls these mitigations:
There are Microsoft provided functions which can also enable these mitigations[1][2] when compiled into the code. Also lets not forget that for now EMET still works fine with Windows 10.
not sure when it was original posted, as its noted there is an update today Nov 21st 2016, and that is the same date of the article.
basically, Windows 10 doesnt use EMET, and MS claims its because Windows 10 has other mitigation techniques making it more secure.
however, as per the article, there are many mitigation steps not included, and many require application to be compiled specifically for EMET replacement mechanisms.
the update to the article today is Windows 10 support more than previously in latest release, however still doesn't support everything EMET provides.
EMET is a complex service that requires a small dedicated team to functionally operate at organizations of any size. Its simply too hard of a sell to all but the most security-focused enterprises, and the resources that go into it would be better utilized on regular systems security.
So essentially they replaced it with a microvisor, its pretty neat really. I haven't personally played with it yet, but I am curious how they deal with user/application data. Bromiums offering was very limited in many ways (mainly the applications that are supported) but it is amazing. You basically can open up a browser, grab a virus, shutdown the browser. And you are done! Once you launch it again it will be a clean application, on a fresh microvisor.
> We have listened to customers' feedback regarding the January 27, 2017 end of life date for EMET and we are pleased to announce that the end of life date is being extended 18 months. The new end of life date is July 31, 2018. There are no plans to offer support or security patching for EMET after July 31, 2018. For improved security, we recommend that customers migrate to the latest version of Windows 10.
You can still use EMET on Windows 10 though. I believe the main takeaway from the article should be that they're discontinuing it.
You can get almost all of the EMET provided mitigations except for EAF and the ROP protections from a vanilla Windows 10 install (see my top level comment[1]). There's also the cert pinning but currently that's only useful for IE.
The latest major Windows 10 update added more EMET features. I imagine by the time EMET is retired, it'll have everything. Retiring EMET seems to be another underhanded trick by MS to get everyone off Win7 and onto 10. Enterprise that depends on it for security will be forced to move sooner than planned, or at least, not be allowed to skip 10 as by the time Windows 11 comes out, 7 will be out of support for quite some time.
Since there will be "no more versions of Windows" and "only updates to Windows 10", I'm curious how Microsoft will handle getting customers to "pay for Windows upgrades".
I assume either that assumption is false, and this is just another bait and switch from Microsoft, and they will make customers pay for "big updates" for Windows 10 in the future - or they will try to at least transition businesses to a subscription for Windows.
They're already seeding the idea that Windows 10 updates will not be free forever to unsuspecting tech writers by getting them to push headlines such as "Next Major Update Of Windows 10 Will Arrive In Month X, For Free"
First off, everyone already assumes that Windows 10 updates would be free, since Windows "updates" have always been free - so why even bother to put such a "useless" fact in a word-constraint headline? The only explanation is that they're trying to prepare the public for when Windows 10 updates will not be free, and make them think "Oh, so the version after that may not be free anymore?!" and set that expectation.
«Since there will be "no more versions of Windows" and "only updates to Windows 10", I'm curious how Microsoft will handle getting customers to "pay for Windows upgrades".»
Microsoft has stated pretty openly the obvious truth from OS surveys and telemetrics that statistically "no one" ever has paid for Windows upgrades. By far, statistically, consumers bought a PC and used whichever version of Windows came with that PC for the lifetime of that PC.
In Enterprise where the cost model already including support and servicing and Windows upgrades, there was plenty of feet dragging and Enterprises have statistically paid extra to not upgrade Windows and/or paid for upgrades that they've never installed.
Microsoft seems trying to "right size" the Windows pricing model by taking into account the reality that consumers were already expecting to pay for Windows only once in the lifetime of a device and that Enterprises "like" to pay more to not upgrade.
There will still be upgrades to Office, so they just need to tie that in. At some point your O365 subscription will include Windows updates, with newer Office programs refusing to install on "insecure unpatched versions", and that will be it.
Why not both? At least they're pushing them to the Pro version [1], as Microsoft seems to be trying to turn it into a more expensive "Home Premium", leaving professionals with only the most expensive Enterprise version as an option [2].
As long as Microsoft isn't addressing the real blocker for people to skip Windows 8 and 10, they won't convince that user base. Those users might eventually move to 10, but will stick with 7 as long as they possibly can and the Windows apps they rely on support.
I must say I don't understand the reasoning behind Microsoft not providing a Pro or Enterprise Windows version that doesn't use the existing users as tester for UI experiments or how much sensitive information they're willing to share on a desktop machine intended for very likely private work (authoring text, media, code, etc.).
They're making the same mistake as GNOME and KDE are, with trying to shoehorn Tablet feature onto the desktop, while pretending the keyboard and mouse are less relevant now.
I admit that there are those who are not power users and run Windows, but those that aren't are most likely better served with a lower maintenance solution like a Tablet with a bluetooth keyboard for writing sessions, and there the privacy invasion is already accepted by using a mobile OS.
PC Gamers and creators are the power users who use Windows for various applications, and Microsoft is making life very hard for them by bundling the improvements in the subsystems with the mobile OS experience on top without offering the new kernel features and such with the old user experience and trustworthy environment.
If you think about it, using a desktop environment that leaks like that for sensitive works doesn't make sense. Someone writing a book or movie script or working on an unpublished program doesn't want even only metadata about it to leak into cacheandclipboard.mscloud.azure.com.
This is all very weird and self-destructive and provides fodder for those who would like to believe Microsoft, Google, Apple are adding these features on request by monitor+control agencies.
My initial interpretation, when I had heard about the EMET EOL, was that Microsoft was doing it as a way to spin removing dev effort from EMET into leveraging people onto Windows 10.
Now I'm not sure - Windows 10 doesn't have the full featureset, and I don't _think_ Microsoft is likely to actually introduce the entire featureset into Windows 10 with much lead time before the EOL.
If they do, though, it would certainly be a nice carrot AND stick to get people up to at least a certain update version for that functionality.
I think the featureset that Windows 10 provides is good enough as an alternative (see my top level comment[1]). EAF was never that useful because it uses debug registers and the ROP protections have been "replaced" by CFG (control flow guard). Everything else is provided by a vanilla Windows 10 install.
The usefulness of the EMET protections were that they could be used without having to recompile an application where protections like CFG do require recompilation with the latest Visual Studio (and for you to Opt-In to CFG).
Yeah, but as your comment says, for me, a lot of the value was in adding mitigations for applications that were not pre-compiled with said options.
Yes, some of them can be manually twiddled without recompilation, but it's not nearly as convenient to manage or deploy (though one imagines a GPO template to do all of the heavy lifting that's doable via IFEO would be a feasible thing), and for anyone not using GPOs, then you're reimplementing a poor subset of the EMET GUI over the IFEO parameters.
Palo Alto Traps also covers anti-exploit but I expect that this functionality is something vendors will be building into their upcoming security suites.
EAF uses debug registers which limits its usefulness and the ROP mitigations are becoming less useful because of CFG (control flow guard). Although the latter does require applications to be recompiled with the latest Visual Studio (and Opt-In to using CFG which is not enabled by default). It's not really surprising seeing Microsoft retire EMET considering you can get nearly the same kind of coverage on a vanilla Windows 10 install.
I made a rough guide as to the layout of the MitigationOptions QWORD which controls these mitigations:
https://theryuu.github.io/ifeo-mitigationoptions.txt
There are Microsoft provided functions which can also enable these mitigations[1][2] when compiled into the code. Also lets not forget that for now EMET still works fine with Windows 10.
[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms6...
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/hh7...