EMET 4.0 Enables Certificate Pinning

Tuesday, May 14, 2013 @ 05:05 PM gHale

A new version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will come out later this month and this iteration will include a certificate pinning feature that will enable users to associate a specific certificate with a given certificate authority.

The feature is a defense against man-in-the-middle (MITM) attacks that use forged certificates to redirect users or intercept protected traffic.

Keeping Systems Running and Profitable
Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available
Zero Day: IE 8 Falls Victim

EMET is a toolkit designed specifically to help prevent certain kinds of exploits from working on protected applications. For example, users can deploy EMET to get the advantages of DEP or ASLR in applications not compiled with those exploit mitigations enabled. The new version of EMET is due May 28 and is beta right now. The addition of certificate pinning is a significant one, although the feature only works by default when users are browsing with Internet Explorer.

Certificate pinning is a technique that can act as a defense against attacks that take advantage of users’ trust in certificates and CAs, a trust that suffered exploitation over the past few years. The compromises of Comodo, DigiNotar and other CAs have exposed the cracks in the CA infrastructure that have been there since its inception but rarely noticed. Attackers found ways to issue fraudulent certificates to themselves for various sites, notably Google, Mozilla, Yahoo and others.

Some of those attacks would not have been as damaging as they were if the users on the other end of the Web connection from the fake certificates had certificate pinning available. That defense would have allowed users to pin the Google SSL certificate to the Google Internet Authority, which issues the company’s legitimate certificates. EMET, which is an enterprise tool, can help organizations fix that situation.

To learn more about EMET and its application within an Industrial Control System, join ISSSource.com for a May 21 webcast at 11 a.m.

“EMET 4.0 comes with Certificate Trust enabled by default, including a set of pre-configured websites for the most common domains used by Microsoft online services; nevertheless, since we believe that certificate pinning is a useful tool to detect MITM attacks targeting any domain and not just Microsoft services, we designed Certificate Trust totally configurable, in order to allow any user to configure custom pinning rules that will be enforced when browsing the web with Internet Explorer,” said Elia Florio of Microsoft.

“EMET 4.0 has a main switch button in the system mitigation panel that can be used to activate or de-activate Certificate Trust. Once enabled, users have to specify which certificates and Root Certificate Authorities to trust. Users can verify that the Certificate Trust feature is activated from the EMET GUI by checking that the system status of this mitigation is ‘Enabled’ and that Internet Explorer process (iexplore.exe) is in the list of configured apps (with or without memory mitigations enabled). This configuration allows EMET to inject into the protected process a new small module (EMET_CE.DLL) that will operate only within Internet Explorer to enforce the certificate pinning protection.”

There is a function in EMET 4.0 that allows advanced users to create some exceptions for certificate pinning, as well, based on variables such as key size and country of origin for the certificate. Users also can manually opt-in other executables for the certificate pinning, including another browser.

In addition to the certificate pinning feature, EMET 4.0 also includes protection against some techniques researchers developed last year to bypass previous versions of the toolkit.

Leave a Reply

You must be logged in to post a comment.