How can you protect yourself, your business, and your customers when faced with an unknown or unpatched software vulnerability? This question can be difficult to answer but it is nevertheless worthy of thoughtful consideration. One particularly noteworthy answer to this question is provided in the form of exploit mitigation technologies such as DEP and ASLR, which are designed to make it difficult and costly for an attacker to exploit a software vulnerability. The protection offered by exploit mitigations is generally independent of a single vulnerability and therefore opens the door to protecting against the exploitation of vulnerabilities that may currently be unknown or that have not yet been addressed through a security update.

The virtues of exploit mitigations are something that we strongly believe in at Microsoft. This belief is clearly demonstrated by the exploit mitigation features we have added to our products over time (DEP, ASLR, /GS, etc) and through policies in the Microsoft’s Security Development Lifecycle (SDL) that require product teams to leverage these features. Although many of these technologies have been available for quite some time, we have found that adoption by third-party software vendors has been slower than we would like. We have also heard from many enterprise administrators that they have difficulty justifying the use of exploit mitigations or are hesitant to make use of them because of performance and compatibility concerns. This is something we would like to change.

In the interest of helping to encourage adoption within the enterprise and by third-party software vendors, we have published a paper entitled Mitigating Software Vulnerabilities. This paper provides justification for the use of exploit-mitigation technologies and enumerates the set of technologies that are available today. The description of each technology includes an overview of how the technology works and what performance, compatibility, and deployment considerations should be taken into account, if any. The availability of each technology is also presented for supported operating system and compiler versions. The paper concludes with a set of recommended actions for software developers, enterprise administrators, and home and business users. In particular, we recommend that the Enhanced Mitigation Experience Toolkit (EMET) be used to evaluate the impact of enabling certain mitigations and to protect systems and applications that may be at-risk.

It is our hope that this paper will demonstrate the need for exploit mitigations and help encourage adoption of exploit mitigation technologies within the Windows ecosystem. We encourage you to check back frequently for more information about upcoming security tools and technologies at http://www.microsoft.com/security/msec.aspx.

- Matt Miller, Microsoft Security Engineering Center