back to article CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security

Microsoft should reverse its planned axing of the lauded Enhanced Mitigation Toolkit (EMET) as Windows 10 cannot yet match its level of security, according to Carnegie Mellon University CERT furniture Will Dormann. The vulnerability analyst, who has pushed out security alerts and advice from the world's first CERT for around a …

  1. hplasm
    Thumb Up

    ha ha!

    CERT Furniture!

    Nice one.

  2. agatum

    Win 10's own security

    As the guy I buy most of my software from put it: "margins being what they are it's a bliss slurp still makes a product I am able to sell WITH a mandatory f-secure or somesuch product".

  3. Adam 52 Silver badge

    '"EMET puts this control back in our hands," he says.'

    That'll be the problem right there. User control has no place in Microsoft's vision for Windows.

    (or Apple's or Google's for that matter, and less and less Red Hat's and Canonical's)

  4. Anonymous Coward
    Anonymous Coward

    Great point he's making

    Especially considering older apps guaranteed not to be taking advantage of Win10 features are the ones that need EMET most.

    1. Mage Silver badge
      Coat

      Re: Great point he's making

      Also the only reason to run Windows at all is for older Applications.

      So why would people want to "upgrade" from Win7 pro to Win 10?

      Even Win7 32 bit is easier to run older programs on, though they OUGHT to work on Win Pro7 64bit. Just been through a huge heap of CDs to re-install on Win7 pro 64 that were all working on 32bit XP.

      Only 2 worked / even installed:

      One had text missing from all buttons on main menu level.

      The other would only install DOS version (via DOSBOX, sound & mouse working) and wouldn't install the Windows version (which worked on XP) at all.

      Windows 10 seems even worse for compatibility.

      "Surely there are new versions of all these programs for Windows 7 or Windows 10?"

      Er, no, unless it's a top selling payroll or accounts package. The developers are gone, or doing newer shiny games you don't want, also do you WANT to re-purchase all the programs you already bought?

      I guess I need to install a VM with no Internet access. Stupid. WOW used to work. NTVDM used to work, now even 32 bit apps allegedly compatible with Vista as well as XP often won't run on Win7 64, though I suspect badly written installers as "new" 32 bit Windows applications (some of which work on XP) do install and run on Win7 pro 64 bit (but significantly from "Program Files (x86)" ).

      Windows has turned into a mess going downhill.

      Mines the one with two USB sticks in the pocket, Linux Mint cw Mate, 32 bit and 64 bit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Great point he's making

        Any properly written Win32 application for Windows 2000 (and probably NT also) would work without issues in 7. Some relying on drivers or very low level stuff could have issues, but simple userland applications should have none. Those written as everything was still Windows 3.0 have issue, no surprise. Sometimes they could make working using compatibility modes, sometimes not.

        There's an issue that some 32 bit applications came with 16 bit installers. Those won't work on 64 bit OS.

        The lack of DOS (and thereby Win16) support in 64 bit OS isn't a Microsoft fault. The designers of x64 decided to remove some features, including the Virtual 86 mode, when the CPU runs in 64 bit mode. You'll need to use virtualization, but unluckily it means you need also valid licenses of DOS and Windows 3.x if you really need to use them (FreeDOS should work, though). Or use the XP VM that comes with 7.

        1. Brewster's Angle Grinder Silver badge

          Re: Great point he's making

          I've got 32 bit tools I compiled under Win95 that still run fine on Win10.

      2. qwertyuiop

        Re: Great point he's making

        Ummm... I don't get this.

        Why should every new version of an OS support every bit of software that ever ran on previous versions?

        The world moves on, technology moves on. A payroll or accounting package that was released back in 2001 alongside XP may no longer be compatible with modern legislation/requirements (electronic submission of returns to HMRC for example) so you'd need to update/replace it anyway.

      3. BinkyTheMagicPaperclip Silver badge

        Re: Great point he's making

        Compatibility is just fine in Windows 7 and 8, but in x64 versions there is no 16 bit Windows compatibility due to hardware limitations.

        What on earth are you running? DOS versions? I run all manner of crappy old kit and haven't run into compatibility issues. Any issues that do exist are usually down to the programs being poorly written in the first place.

        It's *twenty years* since DOS and Windows 3.x died, do you think perhaps you could give Windows a break..

  5. Anonymous Coward
    Anonymous Coward

    Windos Suckurity: Welping at customers since 1995!

    "Vuln seeker saus EMET has 13 protections Win 10 doesn't"

    "Vuln seeker saus" ... related to Gabelstapelfahrer Klaus?

  6. TRT Silver badge

    They should...

    bake it into hardware and put it in every Windows 10 machine. Unless they do already, I feel a little bit of sick come into my mouth every time I have to attend a machine with a problem and see the Windows 10 startup - it must have an EMETIC already in there.

    1. NotBob

      Re: They should...

      Don't give them ideas. Secure boot, anyone? Any chance to lock the computer to only Windoze and they'll be all over it at our expense.

      1. TRT Silver badge
        Facepalm

        Re: They should...

        EMET IC. Get it?

  7. yepp

    The report forgot to consider these important facts

    The report forgot to consider these important facts:

    https://blogs.windows.com/business/2016/06/29/advancing-security-for-consumers-and-enterprises-at-every-layer-of-the-windows-10-stack/#51fixYEa5gL73Xlg.97

    "We’ve also made substantial improvements to Microsoft Edge’s security with Windows 10:

    - The use of our AppContainer sandboxing technology enables us to isolate the browser from the rest of the OS, apps and user data.

    - A new plug-in model prevents plug-ins implemented with insecure designs from running.

    - New mitigations in ASLR and Control Flow Guard harden the browser from code injection and memory corruption attacks to help defeat common exploit techniques, such as heap spraying and ROP.

    - Untrusted and malicious fonts that were served by web pages and embedded in docs are now blocked and the font parsing code has been sandboxed."

    1. Anonymous Coward
      Anonymous Coward

      Re: The report forgot to consider these important facts

      You mean the same Edge that was repeatedly p0wned by that Korean hacker? Also, rememeber EMET protect the whole OS, not what runs in the browser only.

      1. jason 7

        Re: The report forgot to consider these important facts

        Exactly, currently DEP on Windows only covers MS Browsers by default.

        I set it to everything...then install EMET.

      2. yepp

        Re: The report forgot to consider these important facts

        Windows 10 includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser. EMET's effectiveness against modern exploit kits has not been demonstrated on Windows 10, especially in comparison to the many security innovations built-in to Windows 10

      3. Anonymous Coward
        Anonymous Coward

        Re: The report forgot to consider these important facts

        "You mean the same Edge that was repeatedly p0wned by that Korean hacker?"

        As far I remember the Korean hacker also hacked every other major browsers including Chrome on the same competition. He regularly does that. I wonder which browser you use! Internet Explorer sucked in security, Edge sucks in usability and features but it's security is now competitive with other leading browsers.

        http://betanews.com/2016/11/01/microsoft-edge-is-most-secure-browser

        according to NSS lab.

    2. Craig100

      Re: The report forgot to consider these important facts

      Edge?... Phffff! I just had to downgrade the security on a clients web site code because Edge throws it's toys out of the pram if it see the "crossorigin" attribute on a CDN source! Perfectly fine on other browsers. M$ still "at it" :(

  8. jason 7

    The Big Question

    I have never found an answer.

    If MS says Windows 10 has all the EMET protections built in that's all well and good.

    But are they switched on by default?

    If you take DEP for example (the only one you have any control over) its still set to the same setting as Windows XP days which is 'hardly worth bothering'.

    Can the Reg get a statement from MS on this? How and where are they all enabled?

    1. yepp

      Re: The Big Question

      Windows 10 includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser. EMET's effectiveness against modern exploit kits has not been demonstrated on Windows 10, especially in comparison to the many security innovations built-in to Windows 10

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: The Big Question

        Windows 10 includes all of the mitigation features that EMET administrators have come to rely on

        So CERT knows nothing and that table is faux facts?

        I hope this post isn't coming from the MS Hasbara operations down in Bangalore or wherever.

      2. jason 7

        Re: The Big Question

        @yepp - Prove it! Where I do find the settings in case I need to switch them on and off.

        What if an important item of software triggers one of them and I need to adjust?

        I call BS!

  9. Uberseehandel

    Not secure

    I hope it is coincidence and not prescience, but the castle in the photograph at the top of the article is Bodiam.

    Bodiam was one of the last, if not the last, castle licensed to be built in England. It wasn't built to defend anything, it was built for show. The curtain walls would have crumbled as soon as an enemy looked at them.

    Is Win 10 security any better than Bodiam's?

    1. BoldMan

      Re: Not secure

      Caer Boldiam was always my favourite castle to hold in Dark Age of Camelot :)

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Not secure

        Where does one get a license to build a castle??

        1. graeme leggett Silver badge

          Re: Not secure

          Presumably in the old days with a large sum of money and personal assurances to the monarch about loyalty.

          These days, dunno but suspect a full environmental impact survey comes into it. Even if its a reproduction like that one in France using traditional methods.

  10. joed

    the matter of control

    "EMET puts this control back in our hands," - obviously not along MS' plan for Windows 10 users.

  11. Anonymous Coward
    Anonymous Coward

    Mint!

    Swapped Microsoft dead donkey o/s for Linux mint. No issues.

    1. Spasticus Autisticus
      Linux

      Re: Mint!

      +100 - more and more of my customers are moving to Mint when they see how much faster, familiar and easier it is over W, w, w, w, w, w - I can't bring myself to say it, don't want to make my mouth dirty :-)

      -100 for the MS dead donkey floggers that down vote negative (to MS) - but often funny - comments.

      1. jason 7

        Re: Mint!

        My experience has been the exact opposite. I can't give Linux away.

        I've told customers they can shave £100 off a box and it will do everything they need but nope, they won't have it. Has to be Windows.

        In 8 years of business I've not managed to shift one box with Linux on it.

        I have thought of telling them it costs £75 instead of £100 (whatever) as it seems free has a bad image.

        I dunno.

        1. Captain Badmouth
          Happy

          Re: Mint!

          "it seems free has a bad image."

          It has, for the last year or so, on here.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like