The Enhanced Mitigation Experience Toolkit (EMET) “may have potential issues with the update functionality” of Google’s Chrome and Adobe’s Reader and Acrobat, Microsoft said.
EMET, a tool designed for enterprise IT, lets users manually enable important anti-exploit defenses in Windows like DEP (data execution prevention) and ASLR (address space layout randomization) for specific applications. It’s often used to boost the security of older programs.
Microsoft also relies on EMET as a stop-gap in the face of active attacks. For example, in September Microsoft told Reader and Acrobat users to run the tool to fend off exploits some experts had called “scary.”
Google noted the problem with Chrome on Tuesday in a blog post by a pair of its software engineers, who said EMET interfered with the browser ‘s security and thwarted its usual silent updates.
Those engineers also argued that EMET was unnecessary. “Because Chrome already uses many of the same techniques (and more), EMET does not provide any additional protection,” they wrote.
On Wednesday, Microsoft denied that EMET 2.0 monkeyed with Chrome’s security.
“The issue affects only update mechanisms and has no security impact on any third-party products,” said Dave Forstrom, a spokesman for the Microsoft Security Response Center (MSRC), in an e-mail reply to questions.
In Microsoft’s explanation of the EMET compatibility glitch, engineers at MSRC said Adobe and Acrobat users who had configured the tool had been required to reboot their Windows PCs to finalize updates. Normally, Reader and Acrobat updates take effect after the programs have been relaunched and no reboot is necessary.
Chrome’s situation was more complicated, the MSRC engineers said.
“This issue may affect machines with multiple users running Chrome at the same time with each instance configured for use with EMET,” they explained. “If one of those instances is running as an admin [account], it will block the other running instances from self-updating.”
Microsoft updated EMET to version 2.0.0.3 to solve the problems, and urged affected users to download and deploy the update.