News

Microsoft Offers Mitigation Security Tool for ISVs

Microsoft wants you to know that even as you read this article, "people around the world are hunting for vulnerabilities in software applications."

To help thwart such efforts, Microsoft this week announced a new mitigation security utility for application developers and IT professionals. The Enhanced Mitigation Evaluation Toolkit (EMET), currently at Version 1.0.2, is conceived as an "extensible framework" that will include future mitigation technologies as they are released, according to a Microsoft blog.

This EMET release contains just four mitigations: dynamic data execution prevention, heap spray allocation, NULL page allocation and structured exception handing. EMET users can opt into these mitigations for their applications by using the command line in the utility. Users don't have to have to recompile their applications after using the tool, according to the blog.

EMET is the latest component in Microsoft's overall Security Development Lifecycle strategy. It allows developers to write security into applications at a more granular or "command-line" level. Thus, instead of securing an entire application, programmers can code security parameters into a single process.

Security mavens like the idea of going deep into the anatomy of an application rather than just relying on anti-virus software or operating system security functions. For instance, Phil Lieberman, president of Lieberman Software, called EMET "a good value-add for Microsoft ISVs [independent software vendors]."

EMET allows Windows enterprise pros to "harden their applications for free," which is "always a good price," Lieberman said.

"This adds an extra post-production step that allows ISVs to make it much harder for hackers to exploit their applications," he added. "The extra post-production step hardens the rules for memory usage (finer grained protection) and also strengthens the exception mechanisms."

As hackers begin to focus more on specific applications, developers have begun to pay more attention to embedded security. EMET is worth a try in the face of server attacks, automated bugs, browser attacks and stack-buffer overflow exploits, according to Andrew Storms.

"Every third-party partner, application developer or part time coder should at least consider checking out the new EMET from Microsoft," said Storms, director of security at nCircle. "The toolkit makes it even easier to utilize the newest security enhancement mitigations built into the newer Microsoft operating systems."

EMET Version 1.0.2 can be accessed at the Microsoft Download Center here.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Uno Platform Ports Windows Calculator to Linux

    Uno Platform has ported the famed Windows Calculator, open sourced last year, to Linux as part of a continuing "proof point" effort to demonstrate the reach of what it describes as the sole UI offering available to target Windows, WebAssembly, iOS, macOS, Android and Linux with single-codebase applications coded in C# and XAML.

  • ASP.NET Core OData 8 Preview Supports .NET 5, but with Breaking Changes

    ASP.NET Core OData, which debuted in July 2018, is out in a v8.0 preview that for the first time supports the upcoming .NET 5 milestone release.

  • VS Code Java Team Details 5 Best Dev Practices

    Microsoft's Visual Studio Code team for Java development added a new Coding Pack for Java installer and detailed best practices for setting up a development environment.

  • Binary Classification Using PyTorch: Defining a Network

    Dr. James McCaffrey of Microsoft Research tackles how to define a network in the second of a series of four articles that present a complete end-to-end production-quality example of binary classification using a PyTorch neural network, including a full Python code sample and data files.

  • Blazor Debugging Boosted in .NET 5 RC 2

    In highlighting updates to ASP.NET Core in the just-launched second and final Release Candidate of .NET 5, Microsoft pointed out better debugging for Blazor, the red-hot project that allows for C# coding of web projects.

Upcoming Events