Microsoft's claim that Windows 10 made obsolete an important enterprise anti-exploit tool was inaccurate, said a security analyst at the center that coordinates with the United States' cyber-alert organization.
"Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on," Will Dormann, a vulnerability analyst at CERT/CC (Computer Emergency Response Team Coordination Center), wrote in a post to the group's blog last week. CERT/CC is a partner of US-CERT, the arm of the Department of Homeland Security tasked with cyber-defense warnings and attack investigations.
EMET, or Enhanced Mitigation Experience Toolkit, is a seven-year-old anti-exploit tool that Microsoft has touted to deflect malicious attacks. EMET has been regularly recommended by the company to protect Windows PCs until a proper patch can be issued, for example.
Dormann was reacting to a Nov. 3 announcement by Microsoft that it would drop support of EMET at the end of July 2018. Microsoft argued that EMET had not kept pace with newer anti-exploit techniques, and could never be as successful as mitigation approaches baked into an operating system.
In the same announcement, Microsoft trumpeted Windows 10, saying that it "includes all of the mitigation features that EMET administrators have come to rely on such as DEP, ASLR, and Control Flow Guard (CFG) along with many new mitigations to prevent bypasses in UAC and exploits targeting the browser."
After July 31, 2018, Microsoft will not update EMET, provide support for the tool, or patch any security flaws it may have. Rather than rely on EMET, customers should "migrate to Windows 10," Microsoft said.
Dormann wasn't buying it.
Although EMET's most prominent system-wide mitigations were, as Microsoft said, built into Windows 10 (and before that, Windows 7 and Windows 8), the tool's value came from its ability to protect individual applications, especially older programs, Dormann said. "Even though the underlying Windows operating system supports a mitigation, doing so does not necessarily mean that it will be applied to an application," he wrote.
Those application-specific anti-exploit defenses are simply not integrated into Windows 10, Dormann contended. "Microsoft strongly implies that if you are running Windows 10, there is no need for EMET anymore. This implication is not true," he said.
Dormann asserted that EMET was a valuable tool, even to Windows 10 users, and inferred that Microsoft is killing it off too quickly. "It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured," Dormann said. "Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system."
Microsoft did not immediately reply to a request for comment on Dormann's criticisms.
Neither Dormann last week, nor Microsoft nearly four weeks ago, pointed out that EMET's retirement was to take place 18 months before Windows 7 is slated to end its supported decade. Windows 7, the standard OS in business and the most popular on the planet, will exit all support Jan. 14, 2020, a year and a half after EMET's deadline.
EMET will continue to work after mid-2018, Dormann noted, even though it will be out of support; it will not suddenly stop running.
Microsoft's decision to cull EMET prior to Windows 7's end-of-support was in contrast to previous practice when an edition of Windows was reaching retirement. For example, in early 2014, several months before the end of Windows XP's support lifecycle, Microsoft pledged to continue providing those users a malware cleaning tool for more than a year after XP's demise. The implication is that EMET was victim to more than Microsoft's stated reasons, that the end of support for the tool was another way to push and prod enterprise customers to abandon Windows 7 for Windows 10.