Complete Microsoft EMET Bypass Developed 116
msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."
Is anyone surprised? (Score:5, Interesting)
EMET is just a bunch of industry-standard mitigations (e.g. the kind of thing you get on Linux with grsecurity) - and several of them poorly implemented at that. They're mitigations - they make exploits harder, not impossible.
If you rely on EMET for security, you're doing it wrong. Stuff like EMET is just a speed bump. It's good to have, it should be enabled by default, and we should stop treating it like some magic "security on" switch.
Re: (Score:3)
Re: (Score:1)
The same could be said for Linux (grsecurity being a patcheset against vanilla Linux). OpenBSD enables these measures by default, which shook out tons of bugs in ports/ software. They're just good measures, period, but obviously not a panacea.
Re:Is anyone surprised? (Score:5, Insightful)
I disagree. It is like changing the SSH port.
It gives the *illusion* of security, which makes people slack.
E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.
I avoid smoke and mirrors security as much as possible.
Re: (Score:1)
Re: (Score:2)
HOSTS are the key to everything! $10,000 challenge!
Re:Is anyone surprised? (Score:5, Funny)
Re: (Score:2)
Re:Is anyone surprised? (Score:5, Insightful)
So, you don't use a club on your steering wheel, you don't bother hiding valuables in your trunk, leaving them in plain view, and, really, since a professional can get in the car anyway, just leave the doors unlocked. It's all smoke and mirrors anyway.
If a malicious attacker/user is portscanning your system and finds that port 22 is open, they're going to assume an ssh attack. If they find port 1234, they may move on to another target that has port 22 open instead. Of course, if they're really after you, and not just throwing a wide net, then such shenanigans aren't going to stop them, though it might slow them down for a little while while they try to figure out what's listening on which non-standard port.
If a script kiddie is doing the same, most likely port 1234 would be enough to fool them, and they'd never get in.
Seems like smoke and mirrors are a useful tool in a secure system's administration, but should never be the sole tool.
Re: (Score:3)
Re: (Score:1)
Changing the SSH port is effective in reducing the number of entries in your log files. It's not effective in increasing your security. I do find the log file thing a great enough benefit to go ahead and do this.
Re: (Score:2)
It removes your system from being the low-hanging fruit on the bottom branch, to something harder to reach from the ground. That it also lessens the amount of entries in the log files is a nice bonus. Instead of being attacked a few hundred times per day on the standard port, now you're only be
Re: (Score:2)
Re:Is anyone surprised? (Score:4, Informative)
Erm you do know that SSH broadcasts it's presence as soon as you connect right?
Try "telnet server.com 22" and you'll see how nice and obvious it is that you've found a SSH server.
You'll get a nice banner like "SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1"
The moment the port scan finds it, they know it is SSH.
Re: (Score:1)
Re: (Score:1)
Or more specifically you get: "Connection refused. Unable to connect to host" At that point, who cares what port number you're running on, unless someone's able to brute force your 4096-bit key, you're fine.
Re: (Score:2)
sudo su - test ::1...
[test@localhost ~]$ ssh coolsnowmen@localhost
Permission denied (publickey).
[test@localhost ~]$ telnet localhost 22
Trying
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.2
Also with regards to changing SSH port (Score:4, Insightful)
That proves the opposite of what people think. It was for a very long time extremely effective. The auto scanning l33t hax0r tools out there only looked for port 22 for SSH. They didn't scan the system. If they didn't find it, they moved on. I saw massive differences in the number of failed logins for servers on 22 and servers not.
Now that has largely changed, but it worked real well for like a decade-ish. That is not worthless. No it wasn't the only layer of security, it wasn't an excuse to ignore everything, but it did a hell of a job reducing attack profile and costs -nothing-.
The problem is geeks seem to think if security isn't perfect, it is worthless, which is stupid because in the physical world there's no such thing, EVER, as perfect security and since all computers are in the end physical entities, the same actually applies to computer security. It is all layers, it is all protection against different levels of threats.
Turns out simple obscurity can be really useful at times. It doesn't make you safe by itself, but it can make a breakin that much harder, and thus less likely.
Re: (Score:2)
No geeks generally just look for Better way. Moving SSH to a nonstandard port makes it harder to use. There are better tools like IPtables rules which can limit the maximum number of connections from a given host to say five for minute, or whatever value is reasonable in your case. This way you don't remember to specify nonstandard port every time, but it's still completely effective in preventing brood force attacks. The stupid scanners will find you try five times then get no response assume the host
Re:Is anyone surprised? (Score:4, Informative)
I disagree. It is like changing the SSH port.
It gives the *illusion* of security, which makes people slack. E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.
I avoid smoke and mirrors security as much as possible.
more fool you. smoke and mirrors despite its negative security connotations is actually an invaluable security mechanism that is denigrated by those that don't know better. Something as simple as a port change while providing no real security improvement does immediately negate a whole heap of script kiddies and automated tools that instantly pop up when a new exploit is discovered, yes it offers nothing against a targeted attack, but most attacks are NOT specifically targeted, they hunt for easy victims on known common configurations. Every tool that reduces even the most basic of attacks SHOULD be something you value in your arsenal.
Re: (Score:2)
If you expose easily exploited stuff, you deserve to get owned.
They try stuff like username 'admin' password '123456'. If that is a issue for your server you are an idiot.
If you say use SSH keys then you don't have to give the script kiddies and automated attacks a second thought - they will *never* get in.
Re: (Score:2)
Please tell me you don't take money from anyone in exchange for computer security advice.
Re: (Score:2)
Yes I do as a matter of fact.
Please tell me what I'm doing wrong:
- SSH keys where possible
- Mandatory randomly generated passwords for the accounts that can't use SSH keys
- Only HTTP, DNS and SSH are exposed via the hardware load balancer
- Software is updated every 6 - 12 months, or when a specific threat is discovered.
Oh no! I've got SSH on port 22. I'm going to get hacked now!!!!
Re: (Score:2)
You answered your own question. Now, nobody is saying that it is a critical mistake, or that you will get cracked (it's cracked, BTW), but you will get more cracking attempts. Since it is a very, very simple thing to use non-standard ports it is foolish not to reduce your attack surface. There is also something I didn't see you mention and one could argue that by not doing it on 2014 you are doing it w
Re: (Score:3)
Re: (Score:2)
I agree. Passwords are insecure, so I've compiled a custom version of linux that just asks your username and lets you in. Saves me from fielding all those pesky "I forgot my password" calls. Works great.
Re: (Score:1)
Re: (Score:2)
EMET is a dirty hack to fix a host of real problems. It is not surprising it does not really work. The only approach that works is not to have those easily exploited vulnerabilities in the first place. That requires developers with a strong security mind-set and a very conservative attitude towards new features. Microsoft lacks both.
Re: (Score:1)
From Microsoft's own description of EMET: "These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform."
Source: http://support.microsoft.com/kb/2458544
Can someone explain... (Score:3, Insightful)
Re:Can someone explain... (Score:4, Informative)
As far as I can see, they do not rely on a specific IE vulnerability for inserting the payload, but they rely on a specific (and fixed) Windows vulnerability [mitre.org] to bypass ASLR [wikipedia.org], which is a crucial component of EMET. They claim in a footnote that the "IE flaw could be modified to leak the base address of a DLL in another way", but they do not provide a working exploit that does so.
EMET was never meant as a cure all (Score:5, Insightful)
Slashdot summary more negative than article? (Score:1)
“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,
Re: (Score:1)
This is very naughty. (Score:1)
These bit-twiddling desperadoes should be arrested at once!
Beta is a PAIN! (Score:1, Informative)
Pre beta I can read the complete (in most cases) text without leaving the main page. With Beta I have to queue the (perhaps interesting) readings in tabs and then review them (in order to avoid the back-and-forth). Bad UI, bad UX, bad design. Takes so much longer that I may just quit reading this site.
Re: (Score:2)
Maybe you should read the paper they link in.
Basically, most of the security is incomplete or easily ignored / bypassed.
On a stock system, with EMET defaults enabled, there are certain critical things that aren't done (hooking an old API that marks memory as executable, etc.). Even if they could be done, the way I read through the paper suggests that there are SO MANY alternatives they could have used that it's going to be finger-in-the-dyke hole-blocking rather than a blanket fix.
A lot of the things they
Idiomatic ramifications (Score:1)
So... EMET is SHEKER?
experience (Score:2)
Someone at Microsoft has a really creepy obsession with the word "Experience." Just stop already!
Re: (Score:1)
I think we'd probably be horrified to see z/OS implode if you installed it on a billion desktops, put billions of regular users browsing the web with it, and then unleashed malware writers on it.
In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it
I'm sure they'd be overwhelmed if the amount of exploit research activity was unleashed against it that is 'just another day' for windows.
Assuming of course, that z/OS is used by billions of people to browse the
Re: (Score:2)
I disagree. It's the direct descendant of S/360 and has about 50 years of steady product improvements built in. Malware, running with general user access rights cannot affect system processes in any way, and cannot alter(or read) any memory location that it doesn't have access to. The zSeries hardware, with the operating system is a powerful combination, that Windows and commodity hardware can't touch.
I'm a zOS Operating Systems Programmer with 35+ years experience, and while there have been published secur
Re: (Score:2)
Cookie Monster was a prank program that required the user to install and run it with their own permissions. It didn't attempt to reproduce, spread or conceal itself.
Re: (Score:3)
And for a desktop, no one gives a crap.
Everything that matters to a user is sitting in folders that they can, by necessity, access. Your documents, your web browser session, and everything else that is even remotely important to you is available with no escalated privileges whatsoever. Yes they can't necessarily root your device,but to be honest, but unless you're actually running in a true multi user environment(which almost no desktop is), it's cold comfort that your PC works if you data is gone.
Re: (Score:2)
or more to the point if you want a simple method to get a Windows computer patched and all the "fun" programs installed then you
1 on another computer download unpack and run WSUSOffline and build an update package
2 also visit ninite.com and grab a install loader for your "fun" programs (like firefox libreoffice and such)
3 do the initial setup on your computer and get to the desktop
4 run the WSUSOffline updater
5 run the ninite.com install loader
6 Profit!!
Re:Architecturally Insecure (Score:4, Informative)
You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.
Utter nonesense, when was the last time you installed windows? - 1998?
Re: (Score:1)
It was probably much more recently, but he probably installed XP without any patches or service packs. That's how the YotLD people convince themselves they're going to win, they compare bleeding edge Linux products against XP and talk about how much more advanced Linux is.
That said there is some truth in the fact that most Linux installations are architecturally more secure than most Windows PC's, but that has more to do with the fact that the market share for Linux installed PC's running as general purpose
Re: (Score:2)
Why do you mention Linux? This sub-thread compared Windows against z/OS. The "market share" for z/OS as a general compute device is, of course, even less than Linux. However, z/OS is arguably much more secure than Windows.
Why is it that Windows criticism is taken as Linux support? Linux has its place (and I use it as my primary OS) but I certainly wouldn't claim it is secure. Windows should be secure, given that it is pre-installed on almost every consumer computing product.
Re: (Score:2)
Because GP mentioned them, the overall subthread by be about z/os, but this particular branch was arguing that the "no one uses it" was BS because iOS and Linux servers are secure without AV.
Re: Architecturally Insecure (Score:2)
1996 ;)
Re: (Score:1)
re: Architecturally Insecure, Score:0, Troll .. (Score:1)
Re: (Score:2)
Oh, how the mighty slashdot has fallen, when a logged in slashdotter makes the insightful comment that Windows was never designed with security in mind. Although they did better with Vista and 7 than previous OSes it's still the most insecure OS I know of.
Yet he gets modded -1 troll for a factual comment. Do we have more shills than real users? Or are anti-MS comments being modded down by editors on orders of Dice because Microsoft is advertising here?
Either way, it saddens me.