Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling).
SEHOP
This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more information: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx. With this protection in place, the msvidctl exploit we already blogged about (http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx) would have failed.
Dynamic DEP
Data Execution Prevention (DEP) is a memory protection mitigation that marks portions of a process’ memory non-executable. This
makes it more difficult to an attacker to exploit memory corruption
vulnerabilities. For more information on what DEP is and how it works,
take a look at the two part SRD blog available at http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx and http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx.
NULL page allocation
This
blocks attackers from being able to take advantage of NULL dereferences
in user mode. It functions by allocating the first page of memory
before the program starts. Right now the exploitation techniques for these types of vulnerabilities are only theoretical. However, this mitigation will protect you even if that changes. Please
note this protection does not impact kernel mode NULL dereferences as
the current version of EMET only supports user mode mitigations.
Heap spray allocation
Heap
spraying is an attack technique that involves filling a process’ heap
with specially crafted content (typically including shellcode) to aid
in exploitation. Right now, many attackers rely on their content being placed at a common set of memory addresses. This mitigation is designed to pre-allocate those memory addresses and thus block these common attacks. Please note that it only aims to break current exploit that take advantage of these common addresses. It is not a general mitigation for the larger heap spraying attack. That said, if attackers do change the addresses they use, EMET users can change the addresses
Certainly interesting stuff from MS.
Read more: http://blogs.technet.com/srd/archive/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit.aspx
Download: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4a2346ac-b772-4d40-a750-9046542f343d
