Firefox + EMET + EAF mitigation slowness fix


Updated: March 5, 2017

The problem you are facing is as follows. You are using the most splendid Microsoft EMET toolbox to protect your system from software violations and exploits. Recently, you have upgraded EMET to version 5.5, and Firefox seems to be running extremely slowly, taking huge amounts of CPU. You might not necessarily correlate the two, but there is a connection here. The operating system of choice: Windows 8.1.

In this little article, I will show you how I came about fixing this problem, first by isolating the problematic factors, and then mitigating the issue by disabling the incompatible mitigations. Get it? Mitigating the mitigations. After me.

Teaser

More details about the problem

On my Asus VivoBook, which dual-boots Ubuntu 14.04 and Windows 8.1, I recently did several software upgrades in the latter operating system, boosting EMET from 4.0 to 5.5, and updating the entire software stack. Then, I noticed that Firefox was working very slowly. We're talking 10-15 seconds just to launch or even close, significant lag in responsiveness, 40-50% CPU figures even with a single blank tab open.

I started troubleshooting step by step. I launched the browser in the safe mode, with all its extensions and plugins disabled, and this made no difference. I tried a different profile, and finally downgraded Firefox 50 to Firefox 46 ESR, because I wanted to make sure this was not an issue specific to how the recent browser version works. I also played with the multi-process Electrolysis feature, and again, the results were consistent.

At this point, I realized that there might be a system-wide effect, caused by another change. This emphasizes how important it is, if you can, to introduce only one change at a time, so you can be 100% sure how things interact. But with EMET as another possible culprit, I decided to see what gives here.

EMET, main menu

I completely removed Firefox from the application list, and the problem went away. Then, I enabled all the mitigations and started removing them one by one, until I found which one(s) were affecting the browser. For an odd reason, EMET 5.5 with EAF and EAF+ does not seem to like Mozilla's flagship that much. I am sure this will be fixed in a new version, but at the moment, the workaround is to untick these two mitigations.

Untick EAF and EAF+ mitigations

Task manager after disabling EAF

The numbers are sane once again. Exhale, exhale, psychosomatic browser insane.

Why this all of a sudden?

That's a good question. But Microsoft do have a compatibility list, which has all the different tools known and reported not to work with EMET with some of the mitigations enabled. This list does not have Firefox on it, but this could just be a matter of time before an update, either way.

Then, I've also spent a lot of time reading the official guide and the fine print on each of the mitigations. EAF stands for Export Address Table Access Filtering, and what it does, it will block certain system calls, or at the very least read/write access for applications that try to use the functionality of certain core DLL if the requests are deemed invalid.

EAF+ extends this to stack boundaries, frame pointer register mismatches, memory corruption, and so forth. All of this may conflict with software like debuggers as well as applications that use sandboxing, DRM, and so forth. Perhaps, and this is my guess, Mozilla has been working on making Firefox more secure through sandboxing, and this possibly clashes with how EMET works and protects the system, so we may have system calls that are blocked, and this can cause a performance and functionality problems with the browser. This is my guess, but I wasn't in the mood to run debuggers to test this.

Conclusion

There we go. Essentially, this is a simple little guide, but the root of the problem is far from trivial, and it can also be quite difficult to diagnose. You may not remember that you have activated EMET mitigations or necessarily correlate them to browser slowness following an innocent update. I still think EMET is the best product Microsoft released in the last decade, but like any security tool, it may raise its head out of the transparency sea and announce its presence. Much less so than all other anti-whatever tools. But still. If that happens, be precise and methodical, and try to isolate your problem. Component search, comparison to a known and pristine baseline, all the usual tricks that I've outlined in my problem solving book. Shameless self-promotion plug, close brackets.

And then, there's the very important question around EMET's future. Alas, Microsoft will be retiring this tool in mid 2018, after having extended the EOL date from just now by some 18 months. Moreover, at some point, Windows 10 will no longer support this tool, and presumably, hopefully, the mitigations will be introduced on the OS/kernel level. Lastly, all existing versions prior to 5.5 are no longer supported, so this does create a bit of a problem for current users. For now though, 'tis a great tool, and we've just resolved an issue. Ergo, enjoy.

Cheers.

RSS Feed icon

del.icio.us del.icio.us stumbleupon stumble digg digg reddit reddit slashdot slashdot



Advertise!

Would you like to advertise your product/site on Dedoimedo?

Read more

Donate to Dedoimedo!

Do you want to
help me take early retirement? How about donating
some dinero to
Dedoimedo?

Read more

Donate