EMET is not a foolproof computer system defense solution, but it can stop many threats, old and new, by anticipating actions used by attackers and terminating or blocking them.
The utility sports a number of improvements: two new mitigation techniques, new configuration options, and new default settings.
The two new mitigation techniques are Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EAF+).
The new Attack Surface Reduction (ASR) mitigation provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites," explains Chris Betz, senior director of the Microsoft Security Response Center.
The Export Address Table Filtering Plus (EAF+) feature protects against memory read operations, which are often used to discover and build dynamic ROP gadgets and execute code when a vulnerability is exploited.
New configuration options will be especially welcome to enterprise IT pros, and the new Microsoft EMET Service will help them monitoring status and logs of any suspicious activity.
Since version 4.0, EMET provides a configurable SSL/TLS certificate pinning feature called Certificate Trust, which is aimed at detecting man-in-the-middle attacks leveraging the public key infrastructure (PKI). In EMET 5.0, the feature has been improved: it prevents users from visiting websites with untrusted certificates.
Finally, the Deep Hooks mitigation (protection of critical APIs) is now turned on by default, and there are newly hardened data driven bypasses that help prevent attackers from modifying EMETís data structures during attacks.