In direct contrast to Microsoft’s assertion that Windows 10 is its most secure operating system ever, the US-CERT Coordination Centre has warned that Windows 7 with EMET offers greater protection than Windows 10.
The Enhanced Mitigation Experience Toolkit (EMET) is a tool that helps prevent vulnerabilities in software from being successfully exploited. EMET uses security mitigation technologies as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities.
These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
A vulnerability analyst from CERT, Will Dormann, advises Microsoft to continue the development of EMET. Microsoft says ‘many’ of EMET’s features have been integrated into Windows 10, but the concern is that key components are missing, and others have been implemented in such a way that reduces their security.
Even though EMET reaches end-of-life on July 31, 2018, Dormann advises companies to continue using it beyond this date regardless. He has produced this handy table which shows how much more secure your life would be under Windows 7 with EMET.:
He also points out another serious issue:
The problem is that the application needs to be specifically compiled to take advantage of CFG (Control Flow Guard). Out of all of the applications you run in your enterprise, do you know which ones are built with CFG support? If an application is not built to use CFG, it doesn’t matter if your underlying operating system supports CFG or not.
His final recommendations,
- From an exploit mitigation perspective, upgrading to Windows 10 is a good idea.
- Installing EMET with application-specific mitigations configured is also a good idea.
- EMET provides some protection against zero-day vulnerabilities in supported software, as well as forever-day vulnerabilities in unsupported software.
- If the use of EMET is not possible, then the system-wide mitigations of DEP and ASLR can be applied without EMET.
- Windows 10 does not provide all of the mitigation features that EMET administrators have come to rely on.
Read his full report here.