Complete Microsoft EMET Bypass Developed 116
msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."
Can someone explain... (Score:3, Insightful)
EMET was never meant as a cure all (Score:5, Insightful)
Re:Architecturally Insecure (Score:0, Insightful)
Windows, any version, is architecturally insecure.
Actually every operating system is and anything widely in use will be targeted, as has been demonstrated quite clearly in the past couple of weeks, we have had:
The Windows EMET vulnerability [bromium.com]
The Android E-Z-2-Use drive-by vulnerability [arstechnica.com]
The OSX & iOS SSL vulnerability [theverge.com]
Re:Is anyone surprised? (Score:5, Insightful)
I disagree. It is like changing the SSH port.
It gives the *illusion* of security, which makes people slack.
E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.
I avoid smoke and mirrors security as much as possible.
Re:Is anyone surprised? (Score:5, Insightful)
So, you don't use a club on your steering wheel, you don't bother hiding valuables in your trunk, leaving them in plain view, and, really, since a professional can get in the car anyway, just leave the doors unlocked. It's all smoke and mirrors anyway.
If a malicious attacker/user is portscanning your system and finds that port 22 is open, they're going to assume an ssh attack. If they find port 1234, they may move on to another target that has port 22 open instead. Of course, if they're really after you, and not just throwing a wide net, then such shenanigans aren't going to stop them, though it might slow them down for a little while while they try to figure out what's listening on which non-standard port.
If a script kiddie is doing the same, most likely port 1234 would be enough to fool them, and they'd never get in.
Seems like smoke and mirrors are a useful tool in a secure system's administration, but should never be the sole tool.
Also with regards to changing SSH port (Score:4, Insightful)
That proves the opposite of what people think. It was for a very long time extremely effective. The auto scanning l33t hax0r tools out there only looked for port 22 for SSH. They didn't scan the system. If they didn't find it, they moved on. I saw massive differences in the number of failed logins for servers on 22 and servers not.
Now that has largely changed, but it worked real well for like a decade-ish. That is not worthless. No it wasn't the only layer of security, it wasn't an excuse to ignore everything, but it did a hell of a job reducing attack profile and costs -nothing-.
The problem is geeks seem to think if security isn't perfect, it is worthless, which is stupid because in the physical world there's no such thing, EVER, as perfect security and since all computers are in the end physical entities, the same actually applies to computer security. It is all layers, it is all protection against different levels of threats.
Turns out simple obscurity can be really useful at times. It doesn't make you safe by itself, but it can make a breakin that much harder, and thus less likely.