Microsoft: Windows 10 makes EMET unnecessary. Study: Nope

Microsoft plans to discontinue support for its Enhanced Mitigation Experience Toolkit in July 2018, and won't release a new version of EMET either.

This makes EMET 5.51 the last release version of the anti-exploit security software for Windows. The reason given by Microsoft was that Windows 10, Microsoft's new operating system, includes all the mitigation features "that EMET administrators have come to rely on" as well as new mitigations that are not part of EMET.

Microsoft stated openly that Windows 10 includes security features so that it is no longer necessary to run EMET (and thus for Microsoft to support it).

Windows 10 and EMET

EMET protection is divided into system-wide protection, and application-specific protection.

Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP),
Address Space Layout Randomization (ASLR), Certificate Trust (Pinning), and Block Untrusted Fonts (Fonts) fall in the first group.

Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), Null Page Allocation (NullPage), Heapspray Allocations (HeapSpray), Export Address Table Access Filtering (EAF), Export Address Table Access Filtering Plus (EAF+), Mandatory Address Space Layout Randomization (ASLR). Bottom-Up Randomization (BottomUpASLR), ROP Mitigations (LoadLib,
MemProt, Caller, SimExecFlow, StackPivot), Attack Surface Reduction (ASR) and Block Untrusted Fonts (Fonts) in the second group.

Will Doorman at Carnegie Mellon University's Software Engineering Institute created the following table that lists for each mitigation whether it is included in Windows 7 or 10, or in Windows 7 or 10 with EMET installed.

If you look at the table, you will notice quickly that vanilla Windows 10 does not offer the same level of protection as Windows 10 with EMET running.

The same can be said for the comparison of vanilla Windows 10 and Windows 7 that is running EMET.

While it is true that Windows 10 supports several application mitigations out of the box so to speak, DEP, SEHOP, ASLR and BottupASLR to be precise, it is clear that the operating system does not include all protective features that EMET offers. Protective features in this regard mean application mitigations such as HeapSpray, EAF, MemProt or ASR.

As far as the supported options by Windows 10 are concerned, they are not enabled by default and need to be enabled in the Group Policy Editor.

The researcher comes to the conclusion that Microsoft's implication that users don't need EMET if they run Windows 10 is not true.

Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true. The reason it's not true is that Windows 10 does not provide the application-specific mitigations that EMET does.

He notes furthermore that Windows 10 does ship with additional protective measures, but that programs need to take advantage of them, and that this does not account for all the protective measures that EMET offers.

His recommendation is to use EMET if possible and if application-specific mitigations are configured by system administrators or users. If that is not possible for whatever reason, the next best thing is to configure mitigations that can be applied to Windows 10 without EMET.

Alternatives to EMET are Malwarebytes Anti-Exploit (also available in Malwarebytes Premium), and HitmanPro.Alert.

Now You: Do you run anti-exploit software?