Slashdot Mirror

← Back to Stories (view on slashdot.org)

Complete Microsoft EMET Bypass Developed

Posted by Unknown on from the just-a-teeny-tiny-bug dept.

msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."

15 of 116 comments (clear)

  1. Is anyone surprised? by Anonymous Coward · · Score: 5, Interesting

    EMET is just a bunch of industry-standard mitigations (e.g. the kind of thing you get on Linux with grsecurity) - and several of them poorly implemented at that. They're mitigations - they make exploits harder, not impossible.

    If you rely on EMET for security, you're doing it wrong. Stuff like EMET is just a speed bump. It's good to have, it should be enabled by default, and we should stop treating it like some magic "security on" switch.

    1. Re:Is anyone surprised? by TapeCutter · · Score: 2

      Yep, just one more step in a never ending arms race.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    2. Re:Is anyone surprised? by cheater512 · · Score: 5, Insightful

      I disagree. It is like changing the SSH port.

      It gives the *illusion* of security, which makes people slack.
      E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.

      I avoid smoke and mirrors security as much as possible.

    3. Re:Is anyone surprised? by Tanktalus · · Score: 5, Insightful

      So, you don't use a club on your steering wheel, you don't bother hiding valuables in your trunk, leaving them in plain view, and, really, since a professional can get in the car anyway, just leave the doors unlocked. It's all smoke and mirrors anyway.

      If a malicious attacker/user is portscanning your system and finds that port 22 is open, they're going to assume an ssh attack. If they find port 1234, they may move on to another target that has port 22 open instead. Of course, if they're really after you, and not just throwing a wide net, then such shenanigans aren't going to stop them, though it might slow them down for a little while while they try to figure out what's listening on which non-standard port.

      If a script kiddie is doing the same, most likely port 1234 would be enough to fool them, and they'd never get in.

      Seems like smoke and mirrors are a useful tool in a secure system's administration, but should never be the sole tool.

    4. Re:Is anyone surprised? by ichthus · · Score: 2

      Exactly. It's like burying the spare key in your garden, as opposed to putting it under the door mat. It's security through obscurity, but it IS effective.

      --
      sig: sauer
    5. Re:Is anyone surprised? by Anonymous Coward · · Score: 4, Informative

      I disagree. It is like changing the SSH port.

      It gives the *illusion* of security, which makes people slack. E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.

      I avoid smoke and mirrors security as much as possible.

      more fool you. smoke and mirrors despite its negative security connotations is actually an invaluable security mechanism that is denigrated by those that don't know better. Something as simple as a port change while providing no real security improvement does immediately negate a whole heap of script kiddies and automated tools that instantly pop up when a new exploit is discovered, yes it offers nothing against a targeted attack, but most attacks are NOT specifically targeted, they hunt for easy victims on known common configurations. Every tool that reduces even the most basic of attacks SHOULD be something you value in your arsenal.

    6. Re:Is anyone surprised? by cheater512 · · Score: 3, Informative

      Erm you do know that SSH broadcasts it's presence as soon as you connect right?

      Try "telnet server.com 22" and you'll see how nice and obvious it is that you've found a SSH server.
      You'll get a nice banner like "SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1"

      The moment the port scan finds it, they know it is SSH.

    7. Re:Is anyone surprised? by marsu_k · · Score: 5, Funny

      Shhhh, quiet, you'll summon APK. I've heard if you say "HOSTS file" in front of a mirror three times he'll appear in person.

    8. Re:Is anyone surprised? by Zero__Kelvin · · Score: 2

      Your assessment is quite innaccurate. Changing your port number is indeed a very good idea. The mistake one might make is in thinking that is all that is necessary. I would go so far as to say that if you don't change your port number because "it provides the illusion of security" when you know damn well it is only one of many measures one should take, then you are being very foolish. Just because removing low hanging fruit doesn't stop all the vermin, that is no reason to refuse to minimize the attack surface by changing port numbers.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. Can someone explain... by nuckfuts · · Score: 2, Insightful

    Is this a general method for bypassing EMET protections, or is it only applicable to one specific IE exploit?

    1. Re:Can someone explain... by hweimer · · Score: 3, Informative

      As far as I can see, they do not rely on a specific IE vulnerability for inserting the payload, but they rely on a specific (and fixed) Windows vulnerability to bypass ASLR, which is a crucial component of EMET. They claim in a footnote that the "IE flaw could be modified to leak the base address of a DLL in another way", but they do not provide a working exploit that does so.

      --
      OS Reviews: Free and Open Source Software
  3. EMET was never meant as a cure all by bloodhawk · · Score: 4, Insightful

    EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself.

  4. Re:Architecturally Insecure by TapeCutter · · Score: 3, Informative

    You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.

    Utter nonesense, when was the last time you installed windows? - 1998?

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  5. Re:Architecturally Insecure by Eskarel · · Score: 2

    And for a desktop, no one gives a crap.

    Everything that matters to a user is sitting in folders that they can, by necessity, access. Your documents, your web browser session, and everything else that is even remotely important to you is available with no escalated privileges whatsoever. Yes they can't necessarily root your device,but to be honest, but unless you're actually running in a true multi user environment(which almost no desktop is), it's cold comfort that your PC works if you data is gone.

  6. Also with regards to changing SSH port by Sycraft-fu · · Score: 3, Insightful

    That proves the opposite of what people think. It was for a very long time extremely effective. The auto scanning l33t hax0r tools out there only looked for port 22 for SSH. They didn't scan the system. If they didn't find it, they moved on. I saw massive differences in the number of failed logins for servers on 22 and servers not.

    Now that has largely changed, but it worked real well for like a decade-ish. That is not worthless. No it wasn't the only layer of security, it wasn't an excuse to ignore everything, but it did a hell of a job reducing attack profile and costs -nothing-.

    The problem is geeks seem to think if security isn't perfect, it is worthless, which is stupid because in the physical world there's no such thing, EVER, as perfect security and since all computers are in the end physical entities, the same actually applies to computer security. It is all layers, it is all protection against different levels of threats.

    Turns out simple obscurity can be really useful at times. It doesn't make you safe by itself, but it can make a breakin that much harder, and thus less likely.