Saturday, April 26, 2014

A brief mention regarding MS EMET…that lengthens

Let’s just let Microsoft explain what EMET is about for starters:

EMET anticipates the most common techniques adversaries might use and shields computer systems against those security threats. EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.

Basically it keeps a specialized eye on your Windows system and tries to keep everyone at the card-game honest by blocking “tricky” program application methods that could be malicious.

It doesn’t rely on traditional “file-based” signature checks like some AV products do but rather keeps in check what programs are allowed to do.

Anyhow here are some related posts and links for more info…bear with me I’m going somewhere with this post…

All that to say, that many moons ago, the dear TinyApps blogger sent me a tip towards the following security news post:

Crash, bang, boom: Down go all the major browsers at Pwn2Own - ZDNet. From that article, the following observation was highlighted for me, emphasis mine:

The other browsers were also in for more pain. IE 11, Firefox 27, and Safari 7 all got hammered before the competition came to an end. Only one hacker prize was left unclaimed--the "Unicorn" of a system-level code execution on a Windows 8.1 x64, in IE 11 x64, with an Enhanced Mitigation Experience Toolkit (EMET) bypass.

I’m not sure if that result is a good thing or not…it’s hard to say it it proved too hard a nut to crack for any of the participants to even try…or they just had easier pickings to focus on.

Pwn2Own 2014: A recap - PWN2OWN

The largest single prize not awarded was the $150,000 for successful demonstration of the grand-prize Exploit Unicorn, a triple-play puzzle specifically designed to provide the greatest challenge for researchers. Though no entrants made that attempt, the record-setting number of entrants and the diverse and creative approaches taken to crafting attacks made this a Pwn2Own for the ages.

The challenge?

“Exploit Unicorn” Grand Prize:

  • SYSTEM-level code execution on Windows 8.1 x64 on Internet Explorer 11 x64 with EMET (Enhanced Mitigation Experience Toolkit) bypass: $150,000*

For more background on this particular challenge:

Pwn2Own’s New Exploit Unicorn Prize: Additional Background for Civilians - PWN2OWN

This year at Pwn2Own, we’re hunting the Exploit Unicorn – not because we think there are a lot of researchers out there who can capture it, but because we think there aren’t. That said, an attacker able to win this prize (and $150,000 for their efforts) is able to break through Microsoft’s most powerful protections, including a tool built specifically to protect against sophisticated attacks. Here’s what we’re asking Grand Prize contestants to do:

We begin with Internet Explorer. The latest versions of Internet Explorer run in a special, isolated area of the computer’s memory. Tech folk call that a “sandbox,” but you can think of it as a padded room where an application can spend time without hurting itself or others. The first step in the contest is to break out of IE’s padded room – using a fault in the construction of the padded room itself.

Once that’s done, the contestant must gain control over the rest of the computer. The second challenge is for the contestant to locate and use more faults in the system to read its information, change its data, and eventually control its behavior as he pleases; the newest 64-bit computers make that tough, but a successful contestant will prevail.

But there’s one more hurdle. Microsoft has software called the Enhanced Mitigation Experience Toolkit (EMET). It essentially builds more padded rooms inside Windows and protects against many kinds of attack techniques – including payloads installed by attackers seeking the Exploit Unicorn. The third and ultimate test for our contestants is to break through EMET protections and truly control the computer.

EMET has been around for a few years, but due to a lack of formalized tech support and an intimidating interface, its adoption was limited. Lately, Microsoft has been leaning on EMET a lot more; there’s more support, it’s easier to set up, and they encourage the general public to use it – especially when a new attack is underway. With EMET carrying that kind of burden of protection, researchers are getting more interested in testing its limits, and our Grand Prize reflects that. We may not have any successful contestants, but security researchers thrive on insanely difficult challenges; we’re excited to provide one.

I appreciated the link TinyApps provided and though there were no takers to the hack-challenge this time, it did give me confidence that use of EMET continues to be a wise (if not very well known) security choice.

My current (home) Windows 7/8 x64 protection model deployment:

  • Home router -- fully patched with latest firmware updates available & specialized configuration settings that make all the family moan when they visit and want to share the Wi-Fi. Getting them joined is a secure (but tedious) process for everyone involved.
  • PC hardware running latest BIOS/OEM driver patches available
  • Windows 7/8 x64 OS’s - fully patched; including all third-party browser/plugin applications.
  • Windows Firewall stuff/settings
  • Microsoft Security Essentials (Win7) or Windows Defender (Win 8)
  • Malwarebytes Anti-Malware Premium - (plays nicely for concurrent protection with MSSE)
  • Microsoft EMET 4.1- (rolled back from 5.0 tech preview due to super-chatty nature for now)
  • Common sense (YMMV)

This works for me currently…there are more-featured free Windows AV/AM products and I’ve tried many and still hate the performance hit right-after login MSSE causes on my Win 7 system. But the other free products have their own issues and I’ve not yet found a need to upgrade to one of the excellent non-free AV products that I would likely choose.

The paid Malwarebytes application provides (IMHO) sufficient backing power to MSSE providing the additional layer of system protection I think is a good idea to have. The free version will do, but it doesn’t provide the real-time protection I think is needed nowadays. This combo is the balance of features and protection I’m comfortable with as a techie/sysadmin.

There are also tons of excellent free firewall applications that go beyond Windows Firewall. I used to use and recommend many of them a long time ago here. However I’ve become a bit more genteel and am satisfied with the protection it gives me.

Finally, There is EMET lurking in the background keeping a third watch out as well.


Claus Valca

No comments: