This past week Microsoft released a security advisory bulletin about a remote code execution vulnerability in IE8 that is being actively exploited in the wild (link). First of all we would recommend that the proper precautions suggested by Microsoft in the security bulletin be evaluated by customers to mitigate the risk of opening a webpage that exploits this vulnerability. This may potentially affect systems running PI software but it affects systems running IE8 in general.
This post is to advise about one of the suggestions Microsoft gave as a mitigation strategy in their bulletin, a tool called the Enhanced Mitigation Experience Toolkit (EMET). We haven't reported any information regarding EMET compatibility with our own software which may be hosted and viewed through IE8, including PI Webparts or PI Coresight, so there may be some question about whether compatibility is an issue should the other workarounds suggested by Microsoft not be feasible.
We have performed a preliminary finding of compatibility in regard to EMET and it appears to be compatible with IE8 when used as a client of PI Webparts 2010R2 or PI Coresight 2012. Our test used a Windows XP VM using IE8 to perform some basic operations in both products such as opening an existing display and adding a PI tag trend, with EMET enabled for all mitigation options. No adverse affects were seen on the test VM.
We cannot conclusively say at this point that EMET is compatible for all combinations of OS or version of PI software used. If anyone experiences any problem using EMET to workaround the threat of this particular issue, please reply here.
Arnold Woodall
OSIsoft Technical Support