Tag Archives: Microsoft EMET

August 2017 Security Updates Summary

It’s the second Tuesday of August and Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved 48 vulnerabilities in total more formally known as CVEs (defined). These are detailed within Microsoft’s new Security Updates Guide.

This month there is only 1 Known Issue for this month’s Microsoft updates.

====================

Separately Adobe made available four security bulletins for the following products:

Adobe Digital Editions (priority 2, 2x critical, 7x important CVEs)

Adobe Experience Manager (priority 2, 1x important, 2x moderate CVEs)

Adobe Acrobat/Reader (priority 2, 43x critical, 24 important CVEs)

Adobe Flash (priority 1, 1x critical, 1x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

Of note this month is the particularly large Adobe Acrobat/Reader update and the very small Flash Player update. The number of vulnerabilities resolved in last month’s Flash Player update was also small but it is too early to tell if vulnerability is moving away from Flash Player due to Adobe’s recent notice of their intention to de-commission Flash Player in 2020.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Windows Hyper-V

Windows Scripting Engine (affecting Edge, Internet Explorer and Office)

Microsoft Edge and Internet Explorer

Windows PDF Viewer

 

Important severity:

Windows Font Engine
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

July 2017 Security Updates Summary

Earlier today as expected Microsoft and Adobe made available their monthly scheduled security updates.

Microsoft resolved a relatively large number of vulnerabilities at 54 in total more formally known as CVEs (defined). However it’s less than last month at 94. These are detailed within Microsoft’s new Security Updates Guide.

After 2 months of updates being released for versions of Windows which were no longer supported, this month is a return to the usual expected patches.

At the time of writing there are no Known Issues for this month’s Microsoft updates. The IT Pro Patch Tuesday blog which I routinely referenced is no longer available.

====================

Adobe made available just two security bulletins for the following products:

Adobe Connect (priority 3, 2x important and 1x moderate CVE)

Adobe Flash (priority 1, 1x critical, 2x important CVEs)

The priority ratings are explained in this link. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (the link includes “April” in the URL but it is not a typo) as appropriate and apply the recommended updates. Google Chrome users should have the updated version installed automatically later this week (if not already available).

If you use any of the above-mentioned Adobe products, please review the security bulletins linked to above and apply the necessary updates. As per the established process the Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

 

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates. News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

====================
For this month’s Microsoft updates, I will prioritize the order of installation for you below:
====================
Critical severity:

Windows Search

Microsoft Edge and Internet Explorer

NT LAN Manager Elevation of privilege (CVE-2017-8563)(Corporate users: please ensure to set a more secure LDAP setting as per this knowledge base article)

Windows Explorer (CVE-2017-8463)
====================

Please install the remaining updates at your earliest convenience.

As always you can find detailed information on the contents of each security bulletin within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.52) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary. Please note that Microsoft EMET will be out of support on the 31st of July 2018.

As noted in this new blog post, parts of EMET are to become available in the Creator’s Fall Update for Windows 10 set for release in September 2017.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Note: This post marks the 300th post on this blog. Thank you very much to my readers and here’s to the next 300!

=======================
Update:8th August 2017:
=======================

=======================
Nvidia Geforce Drivers:
=======================
This update applies to Linux, FreeBSD, Solaris and Windows and resolves up to 9 security vulnerabilities. The steps to install the drivers are detailed here. I detailed where Nvidia list their security advisories in a previous blog post.

Windows 10 Fall Creator’s update to include EMET features

Late last month Microsoft published two blogs (here and here) which announce forthcoming security features being added to the Windows 10 Fall Creator’s Update (intended to be released in September 2017).

Among the features such as enhancements to the Windows Defender Advanced Threat Protection (ATP) are features such as Windows Defender Application Guard (intended to block zero day (defined) threats by isolating the threat), improved Windows Defender Device Guard and Windows Defender Exploit Guard. The final feature here, Exploit Guard is noteworthy since it will incorporate some of the mitigations (defined) previously available from EMET and will provide the ability to harden legacy applications, just like EMET did namely 32 bit Windows applications.

The improvements to Windows Defender Exploit Guard don’t stop there; it introduces new mitigations and vulnerability prevention capabilities. Moreover a new class of mitigations leveraging intelligence from the Microsoft Intelligent Security Graph (ISG), will include intrusion rules to protect against more advanced threats e.g. zero days exploits. Exploit guard will act as “an extra layer of defense against malware attacks in-between the firewall and antivirus software.”

As a fan of Microsoft EMET, it’s great to see it’s return. However whether it will be available in all versions of Windows 10 or only corporate managed Windows 10 Pro and Windows 10 Enterprise is not yet clear.

I will update this post when new information becomes available. Thank you.

February 2017 Security Updates Summary

=======================
Update: 28th February 2017
=====================
Apologies for not updating this post sooner.

On the 21st of February Microsoft made available their re-packaged update of Adobe Flash Player kb4010250 for Windows 8.1 and Windows 10 systems.

The Adobe Flash Player within Google Chrome should have automatically updated earlier this month. If this link shows the version installed older than v24.0.0.221, you can use the steps within this article to quickly update Google Chrome Flash Player using it’s component updater to the latest version.

An alternative which I have not tried is to use this download from Softpedia to take the place of the Microsoft update (mentioned above) but this shouldn’t be necessary since month long postponements of security updates should be extremely rare.

It’s very likely next month’s Update Tuesday will be busy. There were very few updates in January and no Microsoft updates in February. On the 23rd of February Google’s Project Zero team publically disclosed a second unpatched security vulnerability in Microsoft Internet Explorer and Edge. They also recently disclosed a vulnerability in Windows GDI. Combine this with an existing zero day (defined) Windows Server Message Block (SMB) vulnerability, a Firefox update expected on the 6th of March and Pwn2Own on the 15th to 17th of March; this will be a busy month!

As always, I will be here to guide you through it. Thank you.

====================
Original Post:
====================
As I am sure you are aware the release of Microsoft’s security updates were delayed as per their blog post. I will detail Adobe’s scheduled updates below and update this post when they are available.

====================
Adobe made 3 security bulletins available for Adobe Flash , Adobe Digital Editions and Adobe Campaign. The Flash Player bulletin resolves 12x priority 1 vulnerabilities. The Digital Editions and Campaign updates addressing 9 and 2 vulnerabilities respectively (both sets are priority 3). Adobe’s priority rating are explained in this link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin (link to be added when available) as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

If you use any of the above Adobe products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:
—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While there may only be 3 Microsoft bulletins this month, I will prioritise the order of updates for you below:

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.51) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As always, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

January 2017 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft only made 4 bulletins available. These updates address 3 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again; there are no Known Issues listed within the above summary page. At the time of writing the IT Pro Patch Tuesday blog does not list any Known Issues. However, please check it before deploying your security updates just to be sure. As always, if any issues do arise, those pages should be your first places to check for solutions.

Next month Microsoft will only be publishing it’s security bulletins and release notes within their Security Updates Guide; rather than distributing this information across several pages. This post from WinSuperSite explains the changes in full.

====================
Adobe made a pair of security bulletins available for Adobe Flash and Adobe Acrobat/Adobe Reader. The Flash Player bulletin resolves 13x priority 1 vulnerabilities. The Adobe Acrobat/Adobe Reader resolves 29x priority 2 vulnerabilities. Adobe’s priority rating are explained in the previous link.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

If you use Flash or Adobe Acrobat/Adobe Reader any of the above products, please review the security bulletins linked to above and apply the necessary updates. The Flash update should be installed as soon as possible since exploit kits (defined) tend to take advantage of newly disclosed vulnerabilities very quickly.

You can monitor the availability of security updates for most your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

While there may only be 3 Microsoft bulletins this month, I will prioritise the order of updates for you below:

The update for Microsoft Office should be installed first due to it’s criticality. This should be followed by the update for Microsoft Edge and finally by the LSASS update. The update for Edge is important due to exploit kits relying on such patches not to be installed in order to spread further malware (defined).

As always you can find detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.51) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

December 2016 Security Updates Summary

Today Microsoft and Adobe released their scheduled monthly security updates, the final scheduled set from both vendors for 2016.

Microsoft’s made 12 bulletins available. These updates address 47 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

As with previous months, fortunately this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring that page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================
Adobe made available 9 security bulletins which included their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which will most likely be made available by Google either later today or in the next 1 to 2 days.

The Flash Player update addresses 17x priority 1 CVEs. All of Adobe’s priority rating are explained in the previous link. The other 8 security bulletins can be summarised as follows:

Adobe Animate (APSB16-38): Addresses 1x priority 3 CVE.
Adobe Experience Manager Forms (APSB16-40): Addresses 2x priority 3 CVEs.
Adobe DNG Converter (APSB16-41): Addresses 1x priority 3 CVE.
Adobe Experience Manager (APSB16-42): Fixes 4x priority 2 CVEs.
Adobe InDesign (APSB16-43): Fixes 1x priority 3 CVE.
Adobe ColdFusion Builder (APSB16-44): Fixes 1x priority 2 CVE.
Adobe Digital Editions (APSB16-45): Fixes 2x priority 3 CVEs.
Adobe RoboHelp (APSB16-46): Fixes 1x priority 3 CVE.

If you use Flash or any of the above products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

As always; to assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month is a little different than before since the Microsoft Internet Explorer and Microsoft Edge bulletins when combined address 6 vulnerabilities that are already publicly disclosed (defined). These should be followed by the Adobe Flash update which addresses a zero day vulnerability (defined). Next up would be Microsoft Office, the Windows Graphics component and the Microsoft Uniscribe update due to their criticality.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As is my standard practice, I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Microsoft Announces End of Support for EMET

====================
Update: 11th July 2017:
As noted in a new blog post, an upcoming update to Windows 10 will contain some features of EMET. Further details are available in the above mentioned blog post.

Thank you.
====================

====================
Update: 13th December 2016:
Shortly after publishing this blog post, I received a response (apologies for not posting this update sooner) from the Microsoft EMET team to some questions that I had asked with regard to how to harden applications that do not incorporate security mitigations be default on Windows 10 once EMET has reached it’s end of support. These can be used with any applications, not just legacy applications.

They suggested using the Process Mitigation Options GPO which is described in the link provided by them below. This can be used to apply mitigations such as DEP, SEHOP, Mandatory/Force ASLR, and Bottom-up ASLR to a process without using EMET. They also mentioned this GPO should be receiving further usability improvements in the future.

While the above mitigations don’t provide the same level of protection that EMET offered, they offer an improvement over not using them. From their message there appears to be a possibility that further mitigations will be available in later updates to Windows 10.

I have provided the text of their message below.

====================
Thank you for your support and for providing this helpful feedback! We will consider these suggestions as we develop our documentation and continue to evolve our security and mitigation features in future releases of Windows 10.

Today, the Process Mitigation Options GPO documented below can be used to configure certain in-box Windows 10 mitigations for particular processes.

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/override-mitigation-options-for-app-related-security-policies

These mitigations include DEP, SEHOP, Mandatory/Force ASLR, and Bottom-up ASLR. Though we’re aware that this GPO presents some UX challenges, we’re actively working to improve our mitigation management experience for future releases.
====================

Once again shortly after publishing this post, I came across this blog post from the CERT/CC team of Carnegie-Mellon University. They recommend using EMET on Windows 10 after the end of support deadline in July 2018 to protect applications that do not incorporate security mitigations.

This is of course assuming that future builds/versions of Windows 10 allow EMET to continue to function. If this is not the case, the alternatives discussed above could be considered.

The CERT blog post also provides the steps to enable system-wide DEP an ASLR if EMET (or the alternatives) cannot be used. That post also provides a comparison table of Windows 7 and Windows 10 with and without EMET to better display the benefits EMET offers.

How the CERT/CC team align to the US CERT team is mentioned in this Sophos blog post.

I hope that you find this additional information useful. Thank you.

====================
Original Post:
====================
Early last week Microsoft extended the support deadline of their exploit mitigation tool, Enhanced Mitigation Experience Toolkit (EMET). The final support deadline is now the 31st of July 2018 (originally 27th January 2017).

Why Should This Announcement Be Considered Important?
At this time there are known bypasses for EMET e.g. this and this. While a competitor to EMET, SurfRight HitmanPro.Alert mitigated the WoW64 bypass, Microsoft never incorporated such changes (or at least never documented such improvements). In addition in their most recent blog post concerning EMET; Microsoft states that EMET’s effectiveness against modern exploit kits (defined) has not been proven and were not designed to be a long term solution just a “stop gap” to add extra protection to older versions of Windows without necessitating upgrading to a newer version of Windows.

In addition, Microsoft mentioned that EMET can reduce the performance of the applications that it protects. Moreover it can impact their reliability since it hooks into the operating system at a low level in order to add its protection to the applications chosen by a system administrator or individual user.


You recommend EMET a lot on this blog; is that going to change?

In the short term, no. In the long-term, yes. While EMET is still supported I will recommend its use but will note that its end of support date is approaching.

I still believe that EMET can provide value by adding mitigations to commonly used applications both for enterprise/business users and individual user applications when those applications don’t include mitigations such as DEP or ASLR etc. by default after installing them. I don’t agree with Microsoft’s decision to end support for EMET for this reason.

I believe that they were overly critical of EMET in their most recent blog post. Yes it can cause performance issues (usually disabling one or both EAF and EAF+ mitigations resolves this) and can cause compatibility issues. In general, this depended on the set up of your individual applications. E.g. if you don’t install add-ons into Microsoft Word, Excel etc. they are far more likely to work with EMET without any changes. In many business and enterprise environments I realise this isn’t an option.

In my experience, accepting the defaults of the EMET configuration and adding all but EAF and EAF+ to custom applications would almost always work. Adding EAF and/or EAF+ was appropriate if they didn’t cause performance issues. A further reference regarding EMETs mitigations and another application compatibility list is available here.

I always believed that if you were going to deploy EMET across an organisation that you had to extensively test it. This could possibly involve testing it on hardware and software that mostly (or exactly if possible) emulates each type of server and workstation in use across each team in your organisation. Using just one configuration across your organisation would not work or if it did, it would be sub-optimal since you would likely have to disable many more mitigations to make it work smoothly across all systems in use.

How secure non-best practice applications (namely that they don’t include mitigations such as DEP or ASLR) are when installed on Windows 10 is uncertain. However given the continuing work that Microsoft is doing with Windows 10 and their recent publishing of details concerning the new mitigations available in Windows 10 (the original security benefits are discussed in a previous blog post) Windows 10 in the long term is the way forward. Overall however the Windows 10 without any additions is more secure by default than Windows 7 or Windows 8.1. Just one example would be the disabling of LDR Hotpatching which mitigates the issues caused by abusing its functionality discussed here and here.


If I can’t upgrade to Windows Server 2016 or Windows 10 before the support for EMET ends, what would you recommend?

If your business applications already include security mitigations such as DEP and ASLR, you may not need EMET and can simply ignore it. EMET and indeed the competitors to EMET are only necessary if the applications you use need hardening.

For business, enterprises and individuals Alternatives to EMET are Malwarebytes Anti-Exploit (Business and Personal editions) and HitmanPro.Alert. Malwarebytes Anti-Exploit can be used to protect custom applications and thus can take that role over from EMET. I am currently testing Malwarebytes Anti-Exploit and HitmanPro.Alert and will comment on their resource usage and any drawbacks they may have. I will update this post when I have completed this testing.

Alternatively try to contact the developers of the custom business applications that you are using and request that they enable some security mitigations e.g. DEP and ASLR. Visual Studio 2015 is required for adding CFG but DEP and ASLR can be added using compilers like Mono and mingw (example 2 and example 3).

I contacted the developer of a 64 bit open source tool and he mentioned that since he still supports Windows XP migrating to a newer version of Visual Studio is not an option right now but would consider it for the future. Another small but commercial application developer (a 64 bit utility for Windows) was very enthusiastic about a new version of Visual Studio offering extra mitigations and promised to add these to the next major release of his product which is currently in beta and moving towards a release candidate.

Thank you.