Slashdot Mirror
Complete Microsoft EMET Bypass Developed
msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."
EMET is just a bunch of industry-standard mitigations (e.g. the kind of thing you get on Linux with grsecurity) - and several of them poorly implemented at that. They're mitigations - they make exploits harder, not impossible.
If you rely on EMET for security, you're doing it wrong. Stuff like EMET is just a speed bump. It's good to have, it should be enabled by default, and we should stop treating it like some magic "security on" switch.
Is this a general method for bypassing EMET protections, or is it only applicable to one specific IE exploit?
... the arms race continues!
EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself.
These bit-twiddling desperadoes should be arrested at once!
Pre beta I can read the complete (in most cases) text without leaving the main page. With Beta I have to queue the (perhaps interesting) readings in tabs and then review them (in order to avoid the back-and-forth). Bad UI, bad UX, bad design. Takes so much longer that I may just quit reading this site.
I think we'd probably be horrified to see z/OS implode if you installed it on a billion desktops, put billions of regular users browsing the web with it, and then unleashed malware writers on it.
In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it
I'm sure they'd be overwhelmed if the amount of exploit research activity was unleashed against it that is 'just another day' for windows.
Assuming of course, that z/OS is used by billions of people to browse the web etc, and an exploit only needs to get arbitrary code to run in the users shell to be devastating... it doesn't even need to gain root.
Not so well disguised advertisement is not so well disguised.
Not a lot of credible hackers allowed to play with multimillion dollar hulks that dim the lights. I am pretty sure most systems are exploitable in theory no matter how much marketing people believe.
Windows, any version, is architecturally insecure.
Actually every operating system is and anything widely in use will be targeted, as has been demonstrated quite clearly in the past couple of weeks, we have had:
The Windows EMET vulnerability
The Android E-Z-2-Use drive-by vulnerability
The OSX & iOS SSL vulnerability
I disagree. It's the direct descendant of S/360 and has about 50 years of steady product improvements built in. Malware, running with general user access rights cannot affect system processes in any way, and cannot alter(or read) any memory location that it doesn't have access to. The zSeries hardware, with the operating system is a powerful combination, that Windows and commodity hardware can't touch.
I'm a zOS Operating Systems Programmer with 35+ years experience, and while there have been published security and system integrity patches issued on occasion, Windows has it beat by a mile.
You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.
Stop perpetuating this idiocy, if your idea of "getting a Windows computing on the net" is downloading pornscreensaver.exe then you are doing it wrong. Seriously I was right on thinking you had a pretty good idea what you were talking about until that point and then I realized you're just an idiot.
You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.
Utter nonesense, when was the last time you installed windows? - 1998?
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
xkcd
Security isn't about features, it's about code correctness.
I'll admit that 50 years of commercial success implies 50 years of bug fixes. But commercial applications do not stress systems the way malware hackers do. Do you care to claim that z/OS is without bugs entirely? Sure, not all bugs are exploitable, but the ratio of exploitable bugs to bugs in general holds fairly constant (some Microsoft researchers wrote a paper about this phenomenon, tracking and examining bugs in BSD implementations).
The whole "Windows has a larger profile" argument is false when applied against Linux, because for over 15 years Linux has had an enormous footprint on the internet which desktop jockeys are oblivious to in their mental calculations, not to mention the fact that it's open source and free, making it easier to find bugs--for both white and black hats.
But the profile argument might hold some water against z/OS.
Perhaps it would be useful to enumerate the architectural insecurities of Windows, and then how z/OS addresses or avoids these, rather than point out some IBM marketing statement and then ask if Microsoft has a similar such useless statement?
Also, if is a program is *really* unable to circumvent z/OS System Integrity, why would there be a need to be a clause about taking action to solve System Integrity problems? And what is a protection key less than eight (8)? This torturous sentence is certainly secured against giving the reader any firm sense what System Integrity actually is!
LOL Profit is great! And thats why I use open source, so I can maximze my profit instead of wasting it on vendor jerk arround. But shhh dont tell my competitors.
It was probably much more recently, but he probably installed XP without any patches or service packs. That's how the YotLD people convince themselves they're going to win, they compare bleeding edge Linux products against XP and talk about how much more advanced Linux is.
That said there is some truth in the fact that most Linux installations are architecturally more secure than most Windows PC's, but that has more to do with the fact that the market share for Linux installed PC's running as general purpose computing devices configured to be used by non technical end users is barely measurable. Servers don't count(most Windows servers don't have AV either), tablets don't count(though I actually do have AV on my android), locked down box set up for your parents that your remotely administer doesn't count.
I'd also like to point out that in this day and age, the fact that you probably won't get root on Linux is a big who cares, all the data which matters to the user is accessible by the user. Setting up data encryption ransom ware on Linux would be trivially easy and no less damaging than on Windows.
You mean how the cookie monster malware from the 1970s hit pdp and the 370 alike?
It would halt I/O unless you typed cookie on the teletype.
http://uanr.com/articles/virus.html
I hear the same stuff spewed by Linux fanboys who say rootkits are impossible. Yet get exploited. Where do you think the root in rootkit came from?
So basically if you don't use IE, then your EMET isn't vulnerable to this?
Linux and Mac have been making great strides on a much larger number of platforms
hahahahahahaha. Linux has made strides. OSX is full of holes and is just now starting to see researchers and malware authors focus on it. OSX is where Windows was in 2003-2005 security-wise.
BSD (all Apple products, servers responsible for the infrastructure of the Internet) WITHOUT any virus scanners
Managed by competent computer engineers, not your grandma who clicks everything and opens every attachment and installs 500 pieces of shit software.
You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.
Perhaps you should install the latest version? Would you install linux from 7 years ago and leave it on the net unprotected? no.
"...complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations". All of these mitigations are pretty much state of the art and mandatory with most binaries and OS's compiled/built these days. It wasn't clear from the article if these were all generally bypassed or if something about EMET's implementation of them were at fault. Did they really get lucky with ASLR (1/256 chance), bypass DEP and heap spray detection, and exploit someone's IE session running as a std user?
@bloodhawk: "EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself"
.. This is true of EMET and other similar userland protections”
“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,
How dare you criticise MICROS~1 ..
Why do you mention Linux? This sub-thread compared Windows against z/OS. The "market share" for z/OS as a general compute device is, of course, even less than Linux. However, z/OS is arguably much more secure than Windows.
Why is it that Windows criticism is taken as Linux support? Linux has its place (and I use it as my primary OS) but I certainly wouldn't claim it is secure. Windows should be secure, given that it is pre-installed on almost every consumer computing product.
Just another "Cubible(sic) Joe" 2 17 3061
And for a desktop, no one gives a crap.
Everything that matters to a user is sitting in folders that they can, by necessity, access. Your documents, your web browser session, and everything else that is even remotely important to you is available with no escalated privileges whatsoever. Yes they can't necessarily root your device,but to be honest, but unless you're actually running in a true multi user environment(which almost no desktop is), it's cold comfort that your PC works if you data is gone.
Because GP mentioned them, the overall subthread by be about z/os, but this particular branch was arguing that the "no one uses it" was BS because iOS and Linux servers are secure without AV.
That proves the opposite of what people think. It was for a very long time extremely effective. The auto scanning l33t hax0r tools out there only looked for port 22 for SSH. They didn't scan the system. If they didn't find it, they moved on. I saw massive differences in the number of failed logins for servers on 22 and servers not.
Now that has largely changed, but it worked real well for like a decade-ish. That is not worthless. No it wasn't the only layer of security, it wasn't an excuse to ignore everything, but it did a hell of a job reducing attack profile and costs -nothing-.
The problem is geeks seem to think if security isn't perfect, it is worthless, which is stupid because in the physical world there's no such thing, EVER, as perfect security and since all computers are in the end physical entities, the same actually applies to computer security. It is all layers, it is all protection against different levels of threats.
Turns out simple obscurity can be really useful at times. It doesn't make you safe by itself, but it can make a breakin that much harder, and thus less likely.
Cookie Monster was a prank program that required the user to install and run it with their own permissions. It didn't attempt to reproduce, spread or conceal itself.
Especially as there are no default ports that are open.
No active ports, no vulnerability to network attack.
or more to the point if you want a simple method to get a Windows computer patched and all the "fun" programs installed then you
1 on another computer download unpack and run WSUSOffline and build an update package
2 also visit ninite.com and grab a install loader for your "fun" programs (like firefox libreoffice and such)
3 do the initial setup on your computer and get to the desktop
4 run the WSUSOffline updater
5 run the ninite.com install loader
6 Profit!!
Any person using FTFY or editing my postings agrees to a US$50.00 charge
So... EMET is SHEKER?
That's just bullshit.
Your browser process, like all other general user processes, has the rights to read and write user files, including but not limited to saved passwords, credit-card numbers, personal documents and nearly everything important to the users - in fact the only things that might remain secure are those stored in encrypted storage by a combination of user and application keys. It also has the rights to download and execute new programs. So generally malware doesn't need admin rights to do harm, although it might need admin rights to hide itself. They also have no problem faking to be system app asking for admin password or elevation of rights.
Unless you want your desktop PC to have the same shit of constraints applied on mainframe - program A can only read file X, program B can only write file Y, program C can only allocate Z amounts of RAM, blah blah. That just sucks.
1996 ;)
I don't read your sig. Why are you reading mine?
I blame the Vogons.
Oh, how the mighty slashdot has fallen, when a logged in slashdotter makes the insightful comment that Windows was never designed with security in mind. Although they did better with Vista and 7 than previous OSes it's still the most insecure OS I know of.
Yet he gets modded -1 troll for a factual comment. Do we have more shills than real users? Or are anti-MS comments being modded down by editors on orders of Dice because Microsoft is advertising here?
Either way, it saddens me.
Free Martian Whores!
Most malwares (even with privilege escalation bugs) are installed by the user.
Most *nix Internet boxes are: admins who know better, web servers that won't have anything installed anyway
And how many kiddies scanning for SSH will just scan for 22, 222 2222 and 22222 and the like vs. say 19876 looking for SSH? If they want SSH access, they won't do a full port scan of all the IPs, they'll scan for a select set of known or probable "hidden" SSH ports on as many IPs as they can.
So yes, it's effective.
If someone is targeting YOU, they will scan all your ports and they will probably even try to speak SSH to you, if the reply on the port is from something that seems to be an Apache webserver.
Someone at Microsoft has a really creepy obsession with the word "Experience." Just stop already!
Why do you refuse to disprove these 232 points? Because you can't & you're a shitty spamming troll.
http://tech.slashdot.org/comments.pl?sid=4829029&cid=46338565
APK
You're wrong. I don't even downmod you myself. I just flag your posts as spam (which they indisputably are), and then the Slashdot staff downmods you with their unlimited points. I save my own limited points for much more important people.
Good luck reposting your justifiably downmodded posts after the discussion has been archived.
http://tech.slashdot.org/comments.pl?sid=4829029&cid=46367135
http://tech.slashdot.org/comments.pl?sid=4829029&cid=46367135
http://tech.slashdot.org/comments.pl?sid=4829029&cid=46367461
& my dust after THIS -> http://tech.slashdot.org/comments.pl?sid=4829029&cid=46338565
* :)
(See how the "damaged fragile ego" of these "wannabes" like marsu_k react, 'stalking you' IF & WHEN you "get the better of them" on what THEY *think* is "their ballcourt"... lol, too bad marsu_k had to 'eat it' the way he did (his words, & MY DUST!!!)).
APK
P.S.=> Eat your words & "eat my dust" chump... you failed as always!
... apk
...& my dust too, after THIS -> http://tech.slashdot.org/comments.pl?sid=4829029&cid=46338565
* :)
(See how the "damaged fragile ego" of these "wannabes" like marsu_k react, 'stalking you' IF & WHEN you "get the better of them" on what THEY *think* is "their ballcourt"... lol, too bad marsu_k had to 'eat it' the way he did (his words, & MY DUST!!!)).
APK
P.S.=> Eat your words & "eat my dust" chump... you failed as always vs. myself!
... apk
Especially the part about malwarebytes' S. Burn verifying my code http://yro.slashdot.org/comments.pl?sid=4539709&cid=45664491
* You PUNY trolls - you're ALL the same: Always "avoiding" the issue!
(... & the issue here was that you MUST disprove my 17 points favoring hosts files I listed here @ the download page for it -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
APK
P.S.=> You FAIL on all levels puny troll (including avoiding disproving my points as you were challenged to do here -> http://tech.slashdot.org/comments.pl?sid=4829029&cid=46337673 )
Especially vs. the FACT I have backing proof from folks in the security community (who've seen my sourcecode & verified it) as well as passing it thru the JOTTI online tests & disproving FALSE POSITIVES on it from 6 antivirus vendors (Symantec/Comodo/ClamAV/Sophos/ArcaVir & CA before that on another ware even))
You trolls - you JUST DO NOT "GET IT", do you? I take what YOU fools consider "experts" & school them, regularly - it's just what I do/how I roll... apk
Especially the part about malwarebytes' S. Burn verifying my code http://yro.slashdot.org/commen...
* You PUNY trolls - you're ALL the same: Always "avoiding" the issue in utter SELF-defeat - I love it.
(The issue here was that you disprove my 17 points favoring hosts files I listed here @ the download page for it -> http://start64.com/index.php?o... )
You clearly can't validly, & that's that.
APK
P.S.=> You FAIL on all levels (including avoiding disproving my points as you were challenged to do here -> http://tech.slashdot.org/comme...
Especially vs. the FACT I have backing proof from folks in the security community (who've seen my sourcecode & verified it) as well as passing it thru the JOTTI online tests & disproving FALSE POSITIVES on it from 6 antivirus vendors (Symantec/Comodo/ClamAV/Sophos/ArcaVir & CA before that on another ware even))
You trolls - you JUST DO NOT "GET IT", do you? I take what YOU fools consider "experts" & school them, regularly - it's just what I do/how I roll...
...apk
It's not polite to talk with your mouth full too (of you "eating your words", lol): http://tech.slashdot.org/comme...
"Eat my dust" along with your words too troll (lmao), & wash it all down with "the bitter taste of 'SELF-defeat', & your foot in your mouth, ramming it all down (lol) finally, troll...
APK
P.S.=> I love it - since everytime you "run, forrest: RUN!!!" from disproving my points in favor of custom hosts files adding speed, security, reliability & even anonymity for end uses of them, you ONLY MAKE ME STRONGER: Thank-You (for being so absolutely stupid)...
... apk