Google’s open source browser fails to play nice with a free security solution from Microsoft designed to allow customers to bulletproof arbitrary applications.
According to Ian Fette, Product Manager and Carlos Pizano, Software Engineer, Google has managed to come across a number of incompatibility issues affecting Chrome in scenarios in which customers are also leveraging Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
“EMET is used to deploy and configure security mitigation technologies, often for legacy software,” Fette explained.
“However, because Chrome already uses many of the same techniques (and more), EMET does not provide any additional protection for Chrome.
“In fact, the current version of EMET interferes with Chrome’s security and prevents Chrome from updating.”
At the start of September 2010, the software giant released version 2.0 of the Enhanced Mitigation Experience Toolkit, delivering additional options for users to secure third-party applications.
EMET can be leveraged in order to make it extremely hard for attackers to exploit vulnerabilities in applications, even older programs, that do not benefit from any modern security advances.
While EMET is not a silver-bullet solution, it does allow for a range of security mitigations to be added to apps.
But in this regard, it must be underlined that the role of EMET is not to resolve security issues or patch vulnerabilities, but instead to make exploits and attacks unfeasible.
A range of mitigations can be added to existing apps to make them more secure, including mitigations: Dynamic Data Execution Prevention (DEP); Structure Exception Handler Overwrite Protection (SEHOP); Heap Spray Allocation; Null Page Allocation; Export Address Table Access Filtering; and Mandatory Address Space Layout Randomization (ASLR).
Still, using EMET with Chrome is apparently not a good idea, at least not for the time being. The promise from Google is that the incompatibility problems will be resolved.
“We are working closely with Microsoft on a solution to these issues. In the meantime, we advise users and enterprises not to attempt to configure EMET to work with Chrome,” Fette added.