Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Complete Microsoft EMET Bypass Developed

Unknown Lamer posted about 8 months ago | from the just-a-teeny-tiny-bug dept.

Windows 116

msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."

Sorry! There are no comments related to the filter you selected.

Is anyone surprised? (5, Interesting)

Anonymous Coward | about 8 months ago | (#46330843)

EMET is just a bunch of industry-standard mitigations (e.g. the kind of thing you get on Linux with grsecurity) - and several of them poorly implemented at that. They're mitigations - they make exploits harder, not impossible.

If you rely on EMET for security, you're doing it wrong. Stuff like EMET is just a speed bump. It's good to have, it should be enabled by default, and we should stop treating it like some magic "security on" switch.

Re:Is anyone surprised? (2)

TapeCutter (624760) | about 8 months ago | (#46331145)

Yep, just one more step in a never ending arms race.

Re:Is anyone surprised? (1)

Anonymous Coward | about 8 months ago | (#46331165)

The same could be said for Linux (grsecurity being a patcheset against vanilla Linux). OpenBSD enables these measures by default, which shook out tons of bugs in ports/ software. They're just good measures, period, but obviously not a panacea.

Re:Is anyone surprised? (5, Insightful)

cheater512 (783349) | about 8 months ago | (#46331255)

I disagree. It is like changing the SSH port.

It gives the *illusion* of security, which makes people slack.
E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.

I avoid smoke and mirrors security as much as possible.

Re:Is anyone surprised? (1)

Anonymous Coward | about 8 months ago | (#46331285)

So it is just like using HOSTS files yet another illusion of security promoted by idiots.

Re:Is anyone surprised? (1)

noh8rz10 (2716597) | about 8 months ago | (#46331787)

HOSTS are the key to everything! $10,000 challenge!

Re:Is anyone surprised? (-1)

Anonymous Coward | about 7 months ago | (#46337657)

Disprove apk's 17 points in favor of hosts files here then http://start64.com/index.php?o... [start64.com]

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46339413)

Nobody's going to waste time reading your "17 points" because you come across as a severely deranged lunatic. Deranged lunatics always have a lot to say, but typically none of it is worth listening to. Given the limited number of hours in a day, nearly any other pursuit is more worthwhile than paying attention to the incoherent, paranoid rantings of a deranged lunatic.

As an example, why don't you read and disprove these 232 points [editions-hache.com] ? That's how your writings appear to normal people, but the Unabomber at least had basic proficiency with the English language, whereas you do not.

Re:Is anyone surprised? (-1)

Anonymous Coward | about 7 months ago | (#46339751)

They're not mine. They'll see you got wasted by apk here http://tech.slashdot.org/comme... [slashdot.org] and here http://tech.slashdot.org/comme... [slashdot.org] marsu_k you troll. Keep running away from apk "forrest". You only make him look better for it and I'm sure he appreciates it. Now, quit projecting: Go take your meds, lol!!

Re:Is anyone surprised? (5, Funny)

marsu_k (701360) | about 7 months ago | (#46332449)

Shhhh, quiet, you'll summon APK. I've heard if you say "HOSTS file" in front of a mirror three times he'll appear in person.

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46335499)

That happened to a friend of mine. Poor guy's been scarred for life. No matter what you say to him, he responds with "127.0.0.1"

Re:Is anyone surprised? (-1)

Anonymous Coward | about 7 months ago | (#46337673)

Disprove apk's 17 points in favor of hosts files here then http://start64.com/index.php?o... [start64.com]

Re:Is anyone surprised? (1)

marsu_k (701360) | about 7 months ago | (#46337989)

Even if I were to run Windows, which I don't, and would be inclined to run random programs from the net with admin privileges, which I certainly am not, and even if admittedly there are some situations where modifying the... file that shall not be named is beneficial, you have to admit the guy is desperately in need of medication. And many of those points are redundant.

Re:Is anyone surprised? (-1)

Anonymous Coward | about 7 months ago | (#46338089)

Disprove apk's points favoring hosts. Why do you avoid that? You can't can you?

"Read 'em & WEEP", troll... apk (-1)

Anonymous Coward | about 7 months ago | (#46338565)

Especially the part about malwarebytes' S. Burn verifying my code http://yro.slashdot.org/commen... [slashdot.org]

* You PUNY trolls - you're ALL the same: Always "avoiding" the issue, & the issue here was that you disprove my 17 points favoring hosts files I listed here @ the download page for it -> http://start64.com/index.php?o... [start64.com]

APK

P.S.=> You FAIL on all levels (including avoiding disproving my points as you were challenged to do here -> http://tech.slashdot.org/comme... [slashdot.org] )

Especially vs. the FACT I have backing proof from folks in the security community (who've seen my sourcecode & verified it) as well as passing it thru the JOTTI online tests & disproving FALSE POSITIVES on it from 6 antivirus vendors (Symantec/Comodo/ClamAV/Sophos/ArcaVir & CA before that on another ware even))

You trolls - you JUST DO NOT "GET IT", do you? I take what YOU fools consider "experts" & school them, regularly - it's just what I do/how I roll... apk

You FAIL, troll (lmao)... apk (-1)

Anonymous Coward | about 7 months ago | (#46338665)

Especially the part about malwarebytes' S. Burn verifying my code http://yro.slashdot.org/commen... [slashdot.org]

* You PUNY trolls - you're ALL the same: Always "avoiding" the issue, & the issue here was that you disprove my 17 points favoring hosts files I listed here @ the download page for it -> http://start64.com/index.php?o... [start64.com]

APK

P.S.=> You FAIL on all levels (including avoiding disproving my points as you were challenged to do here -> http://tech.slashdot.org/comme... [slashdot.org]

Especially vs. the FACT I have backing proof from folks in the security community (who've seen my sourcecode & verified it) as well as passing it thru the JOTTI online tests & disproving FALSE POSITIVES on it from 6 antivirus vendors (Symantec/Comodo/ClamAV/Sophos/ArcaVir & CA before that on another ware even))

You trolls - you JUST DO NOT "GET IT", do you? I take what YOU fools consider "experts" & school them, regularly - it's just what I do/how I roll... apk

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46333121)

Changing the SSH port can cut the number of attacks down by half or more, so it is not a bad tactic at all. You won't be defending against people who scan for ports sure, but you're definitely narrowing the logs you have to look at. Saying it is illusion of security shows he doesn't know what he's talking about. Whereas changing the SSID on your wifi is truly illusion of security, because anyone cracking your wifi is using software that can find your router anyways by default.

HOSTS file is also not an illusion, if you hardcode an IP address to /. for example, not only can you prevent someone from hijacking your DNS and pointing you to a fake /. similar to what NSA was doing to people, but you can also bypass beta. And, in addition to that, if you place the IP addresses of known malicious websites, of which there are hundreds of thousands, and route them to localhost then you can prevent your machine from ever phoning home to their command & control center if you ever did get exploited. Will it stop zero-day attacks or new botnets, no.

But, suggesting not to use a tactic because it doesn't cover 100% of security flaws is strange to me. EMET for example protects against anything but directed handcrafted attacks, most attacks are undirected and automated. It allows your IT department to again hone in on those few attacks that do manage to get through, ignoring the rest of the automated noise.

Re:Is anyone surprised? (-1)

Anonymous Coward | about 7 months ago | (#46337827)

They're trolls apk destroyed on the topic of hosts repeatedly man. Don't bother with them. Note they've been challenged to disprove apk's points in reply to their trolling coward posts. I imagine if they have an ounce of sense they will just go away. If they try challenge apk on hosts effectiveness in security, speed, reliability, or even anonymity being added, he will just destroy them yet again. It's why they do what they do by anoncoward posts. It's a regular occurrence here.

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46339499)

Why did apk refuse the $10,000 challenge?

He refused because he knew he would lose.

Why doesn't apk have enough faith in his host file to wager $10,000 on its merits?

apk was exposed as a fraud and a scammer.

"Run, Forrest: RUN!!!!" (-1)

Anonymous Coward | about 7 months ago | (#46339659)

"Rinse, Lather, & Repeat" marsu_k (you troll) -> http://tech.slashdot.org/comme... [slashdot.org]

* A "rhetorical QUESTION" (of sorts):

Want to know WHY you trolls are SO EASY TO BLOW AWAY?

Answer = You're all SO totally STUPID... lol!

APK

P.S.=> So, "here endeth the lesson" - Learn to RESPECT your betters - of which I most certainly AM, since I am WORLDS above "your kind" (the lowest of the LOW online, mere puny trolls, lol) & yes - on all levels, including the art & science of computing ... & THIS? (& you just KNOW I've just GOTTA say it)? Well - you know:

This was just "too, Too, TOO EASY - just '2ez'" & it always is, vs. mindless cowardly trolls like marsu_k (who now is trolling me by ac posts after I shot him down in flames, with ease, in the link above)...

... apk

Re:Is anyone surprised? (0)

Anonymous Coward | about 8 months ago | (#46347123)

Like I said in my other reply http://tech.slashdot.org/comments.pl?sid=4829029&cid=46338565

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46337599)

So you're saying if known bad site's blocked in hosts it won't work? Why not?

Re:Is anyone surprised? (5, Insightful)

Tanktalus (794810) | about 8 months ago | (#46331301)

So, you don't use a club on your steering wheel, you don't bother hiding valuables in your trunk, leaving them in plain view, and, really, since a professional can get in the car anyway, just leave the doors unlocked. It's all smoke and mirrors anyway.

If a malicious attacker/user is portscanning your system and finds that port 22 is open, they're going to assume an ssh attack. If they find port 1234, they may move on to another target that has port 22 open instead. Of course, if they're really after you, and not just throwing a wide net, then such shenanigans aren't going to stop them, though it might slow them down for a little while while they try to figure out what's listening on which non-standard port.

If a script kiddie is doing the same, most likely port 1234 would be enough to fool them, and they'd never get in.

Seems like smoke and mirrors are a useful tool in a secure system's administration, but should never be the sole tool.

Re:Is anyone surprised? (2)

ichthus (72442) | about 8 months ago | (#46331333)

Exactly. It's like burying the spare key in your garden, as opposed to putting it under the door mat. It's security through obscurity, but it IS effective.

Re:Is anyone surprised? (1)

Anonymous Coward | about 8 months ago | (#46331471)

Changing the SSH port is effective in reducing the number of entries in your log files. It's not effective in increasing your security. I do find the log file thing a great enough benefit to go ahead and do this.

Re:Is anyone surprised? (1)

WuphonsReach (684551) | about 7 months ago | (#46331935)

Changing the SSH port is effective in reducing the number of entries in your log files. It's not effective in increasing your security. I do find the log file thing a great enough benefit to go ahead and do this.

It removes your system from being the low-hanging fruit on the bottom branch, to something harder to reach from the ground. That it also lessens the amount of entries in the log files is a nice bonus. Instead of being attacked a few hundred times per day on the standard port, now you're only being attacked maybe once per week.

(And usually far less then that... we never see brute-force attempts on our non-standard SSH ports. Combined with public-key pairs, SSH is probably not the weakest link on the system.)

Re:Is anyone surprised? (1)

jbmartin6 (1232050) | about 7 months ago | (#46333223)

Not to mention log files with less noise are more likely to be monitored and have an effective response in place for incidents. A noisy log file full of Internet-wide scripted attacks will likely be ignored even if there is a more dangerous attack buried in there.

Re:Is anyone surprised? (3, Informative)

cheater512 (783349) | about 8 months ago | (#46331669)

Erm you do know that SSH broadcasts it's presence as soon as you connect right?

Try "telnet server.com 22" and you'll see how nice and obvious it is that you've found a SSH server.
You'll get a nice banner like "SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1"

The moment the port scan finds it, they know it is SSH.

Re:Is anyone surprised? (1)

Anonymous Coward | about 8 months ago | (#46331745)

The point is someone has to do a full port scan. check most of the worms and exploit kits out there, they don't both with a port scan as they know exactly what port 99.99% of web servers run on and what 99% of SSH and RDP servers run on. The most likely victims are ones that use default configs and default configs also mean default ports, why spend precious cycles port scanning when there are 10,000 other soft targets you could have scanned in that time.

Re:Is anyone surprised? (1)

chew8bitsperbyte (533087) | about 7 months ago | (#46333551)

That's only true if you haven't disabled password authentication. If you've limited to public/private key authentication only, you get nothing.

Or more specifically you get: "Connection refused. Unable to connect to host" At that point, who cares what port number you're running on, unless someone's able to brute force your 4096-bit key, you're fine.

Re:Is anyone surprised? (1)

coolsnowmen (695297) | about 7 months ago | (#46337823)

This is not true for me:

sudo su - test
[test@localhost ~]$ ssh coolsnowmen@localhost
Permission denied (publickey).
[test@localhost ~]$ telnet localhost 22
Trying ::1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.2

Wrong attacker model (0)

Anonymous Coward | about 7 months ago | (#46336583)

And how many kiddies scanning for SSH will just scan for 22, 222 2222 and 22222 and the like vs. say 19876 looking for SSH? If they want SSH access, they won't do a full port scan of all the IPs, they'll scan for a select set of known or probable "hidden" SSH ports on as many IPs as they can.

So yes, it's effective.

If someone is targeting YOU, they will scan all your ports and they will probably even try to speak SSH to you, if the reply on the port is from something that seems to be an Apache webserver.

Re:Wrong attacker model (0)

Anonymous Coward | about 7 months ago | (#46338757)

Use port knocking instead of just changing the port. If you have to hit 2, 222, and 22 in order before 2222 opens, you've ruduced the chance of someone finding your ssh server by port scanning enough that almost nobody is going to find it especially if you implement rules to drop connection to addresses that look like thier tying to brute force your knock requirement.

Also with regards to changing SSH port (3, Insightful)

Sycraft-fu (314770) | about 7 months ago | (#46332297)

That proves the opposite of what people think. It was for a very long time extremely effective. The auto scanning l33t hax0r tools out there only looked for port 22 for SSH. They didn't scan the system. If they didn't find it, they moved on. I saw massive differences in the number of failed logins for servers on 22 and servers not.

Now that has largely changed, but it worked real well for like a decade-ish. That is not worthless. No it wasn't the only layer of security, it wasn't an excuse to ignore everything, but it did a hell of a job reducing attack profile and costs -nothing-.

The problem is geeks seem to think if security isn't perfect, it is worthless, which is stupid because in the physical world there's no such thing, EVER, as perfect security and since all computers are in the end physical entities, the same actually applies to computer security. It is all layers, it is all protection against different levels of threats.

Turns out simple obscurity can be really useful at times. It doesn't make you safe by itself, but it can make a breakin that much harder, and thus less likely.

Re:Also with regards to changing SSH port (1)

DarkOx (621550) | about 7 months ago | (#46332443)

No geeks generally just look for Better way. Moving SSH to a nonstandard port makes it harder to use. There are better tools like IPtables rules which can limit the maximum number of connections from a given host to say five for minute, or whatever value is reasonable in your case. This way you don't remember to specify nonstandard port every time, but it's still completely effective in preventing brood force attacks. The stupid scanners will find you try five times then get no response assume the host is gone and move on.

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46332435)

Actually we give that advice to members of our car club, to anyone with a convertible anyway. The cost of locating are having a replacement ragtop made far exceeds pretty much anything that might steal from inside the car.

We do recommend people watch things in the trunk though, believe the main vehicle unlocked.

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46332459)

Sorry - but even if they find port 1234 they will also find it is ssh backing it.

The only "speed bump" is that they had to scan for a port.

there is no added security whatsoever.

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46333521)

This is absolutely correct. There's a lot of decrying "security by obscurity," but the truth of the matter is, it's a useful tool. It should never be the ONLY tool, nor should any other security mitigation. But it is useful. You're going to dodge a lot of attacks; maybe not the truly dedicated ones (or maybe even a few of those if you're lucky), but you'll escape a lot of drive-by attacks and skiddies. That's absolutely a good thing.

Re:Is anyone surprised? (4, Informative)

Anonymous Coward | about 8 months ago | (#46331495)

I disagree. It is like changing the SSH port.

It gives the *illusion* of security, which makes people slack. E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.

I avoid smoke and mirrors security as much as possible.

more fool you. smoke and mirrors despite its negative security connotations is actually an invaluable security mechanism that is denigrated by those that don't know better. Something as simple as a port change while providing no real security improvement does immediately negate a whole heap of script kiddies and automated tools that instantly pop up when a new exploit is discovered, yes it offers nothing against a targeted attack, but most attacks are NOT specifically targeted, they hunt for easy victims on known common configurations. Every tool that reduces even the most basic of attacks SHOULD be something you value in your arsenal.

Re:Is anyone surprised? (1)

cheater512 (783349) | about 8 months ago | (#46331687)

If you expose easily exploited stuff, you deserve to get owned.

They try stuff like username 'admin' password '123456'. If that is a issue for your server you are an idiot.
If you say use SSH keys then you don't have to give the script kiddies and automated attacks a second thought - they will *never* get in.

Re:Is anyone surprised? (0)

Anonymous Coward | about 8 months ago | (#46331767)

What happens when the next vulnerability is discovered in SSH auth? you become the next victim of whatever worm is going around while the moron with the admin and 123456 password on port 12345 survives another day (not that he is smart either). Security isn't about one size fits all, it is about mitigating as many layers as you can, that means using proper keys and passwords, using secure configurations with least privileges and good monitoring practises, it means not using default usernames and it means obscuring any commonly known information like the port number. protecting yourself against a teenager that downloads the latest exploit kit for his new worm is just as important as hardening your service, why expose yourself to unnecessary threats.

Re:Is anyone surprised? (1)

Zero__Kelvin (151819) | about 7 months ago | (#46334597)

"If you expose easily exploited stuff, you deserve to get owned."

Please tell me you don't take money from anyone in exchange for computer security advice.

Re:Is anyone surprised? (1)

cheater512 (783349) | about 7 months ago | (#46336789)

Yes I do as a matter of fact.

Please tell me what I'm doing wrong:
- SSH keys where possible
- Mandatory randomly generated passwords for the accounts that can't use SSH keys
- Only HTTP, DNS and SSH are exposed via the hardware load balancer
- Software is updated every 6 - 12 months, or when a specific threat is discovered.

Oh no! I've got SSH on port 22. I'm going to get hacked now!!!!

Re:Is anyone surprised? (1)

Zero__Kelvin (151819) | about 7 months ago | (#46338373)

Please tell me what I'm doing wrong: ... Oh no! I've got SSH on port 22. I'm going to get hacked now!!!!

You answered your own question. Now, nobody is saying that it is a critical mistake, or that you will get cracked (it's cracked, BTW), but you will get more cracking attempts. Since it is a very, very simple thing to use non-standard ports it is foolish not to reduce your attack surface. There is also something I didn't see you mention and one could argue that by not doing it on 2014 you are doing it wrong. I don't see any mention of Port Knocking [wikipedia.org] in your post. Also, you didn't mention if you use a real OS or Windows PetriDisk(tm).

Re:Is anyone surprised? (2)

Zero__Kelvin (151819) | about 7 months ago | (#46334497)

Your assessment is quite innaccurate. Changing your port number is indeed a very good idea. The mistake one might make is in thinking that is all that is necessary. I would go so far as to say that if you don't change your port number because "it provides the illusion of security" when you know damn well it is only one of many measures one should take, then you are being very foolish. Just because removing low hanging fruit doesn't stop all the vermin, that is no reason to refuse to minimize the attack surface by changing port numbers.

Re:Is anyone surprised? (1)

KingMotley (944240) | about 7 months ago | (#46336193)

I agree. Passwords are insecure, so I've compiled a custom version of linux that just asks your username and lets you in. Saves me from fielding all those pesky "I forgot my password" calls. Works great.

Re:Is anyone surprised? (0)

AlphaBro (2809233) | about 8 months ago | (#46331795)

Poorly implemented, huh? I suppose that means you'll be taking home the $150,000 Pwn2Own 2014 prize [threatpost.com] for breaking it, right? Shit, maybe you can collected Microsoft's $100,000 bounty [microsoft.com] , too! That is, of course, unless you're talking out of your ass.

Re:Is anyone surprised? (0)

Anonymous Coward | about 7 months ago | (#46332339)

I could poorly implement a door by making it out of concrete and forgetting to put on a hinge, but that doesn't make it easier to break into.

Re:Is anyone surprised? (1)

AlphaBro (2809233) | about 8 months ago | (#46342083)

Alright, so how is thas analogous to EMET? Where exactly is this "missing hinge"? You're talking out of your ass.

Re:Is anyone surprised? (1)

gweihir (88907) | about 7 months ago | (#46332555)

EMET is a dirty hack to fix a host of real problems. It is not surprising it does not really work. The only approach that works is not to have those easily exploited vulnerabilities in the first place. That requires developers with a strong security mind-set and a very conservative attitude towards new features. Microsoft lacks both.

Re:Is anyone surprised? (1)

Anonymous Coward | about 7 months ago | (#46334571)

From Microsoft's own description of EMET: "These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform."

Source: http://support.microsoft.com/kb/2458544

Bypass? (0)

Anonymous Coward | about 7 months ago | (#46335537)

I blame the Vogons.

Can someone explain... (2, Insightful)

nuckfuts (690967) | about 8 months ago | (#46330863)

Is this a general method for bypassing EMET protections, or is it only applicable to one specific IE exploit?

Re:Can someone explain... (3, Informative)

hweimer (709734) | about 7 months ago | (#46332337)

As far as I can see, they do not rely on a specific IE vulnerability for inserting the payload, but they rely on a specific (and fixed) Windows vulnerability [mitre.org] to bypass ASLR [wikipedia.org] , which is a crucial component of EMET. They claim in a footnote that the "IE flaw could be modified to leak the base address of a DLL in another way", but they do not provide a working exploit that does so.

And so ... (0)

Anonymous Coward | about 8 months ago | (#46330865)

... the arms race continues!

EMET was never meant as a cure all (4, Insightful)

bloodhawk (813939) | about 8 months ago | (#46330913)

EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself.

Re:EMET was never meant as a cure all (0)

Anonymous Coward | about 8 months ago | (#46330979)

In other words, the design sucked from day one and now it's useless.

Re:EMET was never meant as a cure all (0)

Anonymous Coward | about 8 months ago | (#46331239)

if you have no clue about programming perhaps it would be better if you kept your mouth shut rather than opening it and looking like a moron. all protections at this layer will always be constantly evolving to meet the attackers. There are ZERO perfect solutions and I doubt there ever will be one as that would imply pre knowledge of every type of attack people are going to imagine up in the future.

Slashdot summary more negative than article? (1)

DTentilhao (3484023) | about 8 months ago | (#46331511)

@bloodhawk: "EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself"

The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection, .. This is true of EMET [threatpost.com] and other similar userland protections

Re:Slashdot summary more negative than article? (1)

Anonymous Coward | about 8 months ago | (#46331583)

And? of course it doesn't offer lasting protection. It is a speed bump, that doesn't make it useless or a disaster that people have ways around it. Just like it is not a disaster that no OS is secure and they will always need security patches, it doesn't sudden mean you don't bother with security because you know it will be defeated.

Re:EMET was never meant as a cure all (0)

Anonymous Coward | about 7 months ago | (#46333885)

On the other hand, I do believe Microsoft was offering a bounty for any team that managed to bypass all of EMET's mitigations, which is probably why this team qualified. It's a shame that didn't make it to the summary.

Architecturally Insecure (-1, Troll)

jacobsm (661831) | about 8 months ago | (#46330931)

Windows, any version, is architecturally insecure. While it can be patched, you're never going to be able to completely eliminate the insecurities. Does Microsoft have a system integrity statement like this? I highly doubt it.

IBM’s commitment includes design and development practices intended to prevent unauthorized application programs, subsystems, and users from bypassing z/OS security – that is, to prevent them from gaining access, circumventing, disabling, altering, or obtaining control of key z/OS system processes and resources unless allowed by the installation. Specifically, z/OS “System Integrity” is defined as the inability of any program not authorized by a mechanism under the installation’s control to circumvent or disable store or fetch protection, access a resource protected by the z/OS Security Server (RACF®), or obtain control in an authorized state; that is, in supervisor state, with a protection key less than eight (8), or Authorized Program Facility (APF) authorized. In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it

Re:Architecturally Insecure (0)

vux984 (928602) | about 8 months ago | (#46330999)

I think we'd probably be horrified to see z/OS implode if you installed it on a billion desktops, put billions of regular users browsing the web with it, and then unleashed malware writers on it.

In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it

I'm sure they'd be overwhelmed if the amount of exploit research activity was unleashed against it that is 'just another day' for windows.

Assuming of course, that z/OS is used by billions of people to browse the web etc, and an exploit only needs to get arbitrary code to run in the users shell to be devastating... it doesn't even need to gain root.

Re:Architecturally Insecure (-1, Troll)

guruevi (827432) | about 8 months ago | (#46331035)

It's been a red herring since the introduction of the myth and remains a red herring until this day. Microsoft products are simply insecure because they're closed source and suffer from a lack of interest in fixing the issues.

Linux and Mac have been making great strides on a much larger number of platforms, most computers these days don't even run Microsoft products anymore but a variation of Linux (servers, 99% of non-Apple ARM devices) or BSD (all Apple products, servers responsible for the infrastructure of the Internet) WITHOUT any virus scanners. You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.

Re:Architecturally Insecure (-1)

Anonymous Coward | about 8 months ago | (#46331099)

We get it - profit = BAD.
Go fuck yourself.

Re:Architecturally Insecure (0)

Anonymous Coward | about 8 months ago | (#46331243)

LOL Profit is great! And thats why I use open source, so I can maximze my profit instead of wasting it on vendor jerk arround. But shhh dont tell my competitors.

Re:Architecturally Insecure (0)

Anonymous Coward | about 8 months ago | (#46331133)

You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.

Stop perpetuating this idiocy, if your idea of "getting a Windows computing on the net" is downloading pornscreensaver.exe then you are doing it wrong. Seriously I was right on thinking you had a pretty good idea what you were talking about until that point and then I realized you're just an idiot.

Re:Architecturally Insecure (1)

RobertLTux (260313) | about 7 months ago | (#46332647)

or more to the point if you want a simple method to get a Windows computer patched and all the "fun" programs installed then you

1 on another computer download unpack and run WSUSOffline and build an update package
2 also visit ninite.com and grab a install loader for your "fun" programs (like firefox libreoffice and such)
3 do the initial setup on your computer and get to the desktop
4 run the WSUSOffline updater
5 run the ninite.com install loader
6 Profit!!

Re:Architecturally Insecure (3, Informative)

TapeCutter (624760) | about 8 months ago | (#46331179)

You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.

Utter nonesense, when was the last time you installed windows? - 1998?

Re:Architecturally Insecure (0)

Eskarel (565631) | about 8 months ago | (#46331245)

It was probably much more recently, but he probably installed XP without any patches or service packs. That's how the YotLD people convince themselves they're going to win, they compare bleeding edge Linux products against XP and talk about how much more advanced Linux is.

That said there is some truth in the fact that most Linux installations are architecturally more secure than most Windows PC's, but that has more to do with the fact that the market share for Linux installed PC's running as general purpose computing devices configured to be used by non technical end users is barely measurable. Servers don't count(most Windows servers don't have AV either), tablets don't count(though I actually do have AV on my android), locked down box set up for your parents that your remotely administer doesn't count.

I'd also like to point out that in this day and age, the fact that you probably won't get root on Linux is a big who cares, all the data which matters to the user is accessible by the user. Setting up data encryption ransom ware on Linux would be trivially easy and no less damaging than on Windows.

Re:Architecturally Insecure (1)

ratboy666 (104074) | about 8 months ago | (#46331791)

Why do you mention Linux? This sub-thread compared Windows against z/OS. The "market share" for z/OS as a general compute device is, of course, even less than Linux. However, z/OS is arguably much more secure than Windows.

Why is it that Windows criticism is taken as Linux support? Linux has its place (and I use it as my primary OS) but I certainly wouldn't claim it is secure. Windows should be secure, given that it is pre-installed on almost every consumer computing product.

Re:Architecturally Insecure (1)

Eskarel (565631) | about 7 months ago | (#46332185)

Because GP mentioned them, the overall subthread by be about z/os, but this particular branch was arguing that the "no one uses it" was BS because iOS and Linux servers are secure without AV.

Re: Architecturally Insecure (1)

mspohr (589790) | about 7 months ago | (#46334813)

1996 ;)

Re:Architecturally Insecure (0)

Anonymous Coward | about 8 months ago | (#46331341)

Linux and Mac have been making great strides on a much larger number of platforms

hahahahahahaha. Linux has made strides. OSX is full of holes and is just now starting to see researchers and malware authors focus on it. OSX is where Windows was in 2003-2005 security-wise.

BSD (all Apple products, servers responsible for the infrastructure of the Internet) WITHOUT any virus scanners

Managed by competent computer engineers, not your grandma who clicks everything and opens every attachment and installs 500 pieces of shit software.

You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.

Perhaps you should install the latest version? Would you install linux from 7 years ago and leave it on the net unprotected? no.

Actually, yes. (0)

Anonymous Coward | about 7 months ago | (#46332473)

Especially as there are no default ports that are open.

No active ports, no vulnerability to network attack.

Re:Architecturally Insecure (1)

jacobsm (661831) | about 8 months ago | (#46331093)

I disagree. It's the direct descendant of S/360 and has about 50 years of steady product improvements built in. Malware, running with general user access rights cannot affect system processes in any way, and cannot alter(or read) any memory location that it doesn't have access to. The zSeries hardware, with the operating system is a powerful combination, that Windows and commodity hardware can't touch.

I'm a zOS Operating Systems Programmer with 35+ years experience, and while there have been published security and system integrity patches issued on occasion, Windows has it beat by a mile.

Re:Architecturally Insecure (0)

Anonymous Coward | about 8 months ago | (#46331209)

Security isn't about features, it's about code correctness.

I'll admit that 50 years of commercial success implies 50 years of bug fixes. But commercial applications do not stress systems the way malware hackers do. Do you care to claim that z/OS is without bugs entirely? Sure, not all bugs are exploitable, but the ratio of exploitable bugs to bugs in general holds fairly constant (some Microsoft researchers wrote a paper about this phenomenon, tracking and examining bugs in BSD implementations).

The whole "Windows has a larger profile" argument is false when applied against Linux, because for over 15 years Linux has had an enormous footprint on the internet which desktop jockeys are oblivious to in their mental calculations, not to mention the fact that it's open source and free, making it easier to find bugs--for both white and black hats.

But the profile argument might hold some water against z/OS.

Re:Architecturally Insecure (0)

Anonymous Coward | about 7 months ago | (#46336271)

Most malwares (even with privilege escalation bugs) are installed by the user.

Most *nix Internet boxes are: admins who know better, web servers that won't have anything installed anyway

Re: I want a cookie (0)

Anonymous Coward | about 8 months ago | (#46331283)

You mean how the cookie monster malware from the 1970s hit pdp and the 370 alike?

It would halt I/O unless you typed cookie on the teletype.

http://uanr.com/articles/virus.html

I hear the same stuff spewed by Linux fanboys who say rootkits are impossible. Yet get exploited. Where do you think the root in rootkit came from?

Re: I want a cookie (1)

_merlin (160982) | about 7 months ago | (#46332423)

Cookie Monster was a prank program that required the user to install and run it with their own permissions. It didn't attempt to reproduce, spread or conceal itself.

Re:Architecturally Insecure (2)

Eskarel (565631) | about 7 months ago | (#46332181)

And for a desktop, no one gives a crap.

Everything that matters to a user is sitting in folders that they can, by necessity, access. Your documents, your web browser session, and everything else that is even remotely important to you is available with no escalated privileges whatsoever. Yes they can't necessarily root your device,but to be honest, but unless you're actually running in a true multi user environment(which almost no desktop is), it's cold comfort that your PC works if you data is gone.

Re:Architecturally Insecure (0)

Anonymous Coward | about 7 months ago | (#46333377)

That's just bullshit.

Your browser process, like all other general user processes, has the rights to read and write user files, including but not limited to saved passwords, credit-card numbers, personal documents and nearly everything important to the users - in fact the only things that might remain secure are those stored in encrypted storage by a combination of user and application keys. It also has the rights to download and execute new programs. So generally malware doesn't need admin rights to do harm, although it might need admin rights to hide itself. They also have no problem faking to be system app asking for admin password or elevation of rights.

Unless you want your desktop PC to have the same shit of constraints applied on mainframe - program A can only read file X, program B can only write file Y, program C can only allocate Z amounts of RAM, blah blah. That just sucks.

Re:Architecturally Insecure (1)

Anonymous Coward | about 8 months ago | (#46331011)

Not so well disguised advertisement is not so well disguised.

The cost of z/OS systems also help (0)

Anonymous Coward | about 8 months ago | (#46331027)

Not a lot of credible hackers allowed to play with multimillion dollar hulks that dim the lights. I am pretty sure most systems are exploitable in theory no matter how much marketing people believe.

Re:Architecturally Insecure (0, Insightful)

Anonymous Coward | about 8 months ago | (#46331079)

Windows, any version, is architecturally insecure.

Actually every operating system is and anything widely in use will be targeted, as has been demonstrated quite clearly in the past couple of weeks, we have had:
The Windows EMET vulnerability [bromium.com]
The Android E-Z-2-Use drive-by vulnerability [arstechnica.com]
The OSX & iOS SSL vulnerability [theverge.com]

Re:Architecturally Insecure (0)

Anonymous Coward | about 8 months ago | (#46331211)

Perhaps it would be useful to enumerate the architectural insecurities of Windows, and then how z/OS addresses or avoids these, rather than point out some IBM marketing statement and then ask if Microsoft has a similar such useless statement?

Also, if is a program is *really* unable to circumvent z/OS System Integrity, why would there be a need to be a clause about taking action to solve System Integrity problems? And what is a protection key less than eight (8)? This torturous sentence is certainly secured against giving the reader any firm sense what System Integrity actually is!

re: Architecturally Insecure, Score:0, Troll .. (1)

DTentilhao (3484023) | about 8 months ago | (#46331521)

How dare you criticise MICROS~1 ..

Re:Architecturally Insecure (1)

mcgrew (92797) | about 7 months ago | (#46336137)

Oh, how the mighty slashdot has fallen, when a logged in slashdotter makes the insightful comment that Windows was never designed with security in mind. Although they did better with Vista and 7 than previous OSes it's still the most insecure OS I know of.

Yet he gets modded -1 troll for a factual comment. Do we have more shills than real users? Or are anti-MS comments being modded down by editors on orders of Dice because Microsoft is advertising here?

Either way, it saddens me.

This is very naughty. (1)

Anonymous Coward | about 8 months ago | (#46330941)

These bit-twiddling desperadoes should be arrested at once!

Re:This is very naughty. (0)

Anonymous Coward | about 8 months ago | (#46331143)

My PC is turned on.

Beta is a PAIN! (1, Informative)

Anonymous Coward | about 8 months ago | (#46330945)

Pre beta I can read the complete (in most cases) text without leaving the main page. With Beta I have to queue the (perhaps interesting) readings in tabs and then review them (in order to avoid the back-and-forth). Bad UI, bad UX, bad design. Takes so much longer that I may just quit reading this site.

EMET (0)

Anonymous Coward | about 8 months ago | (#46331199)

xkcd [xkcd.com]

Re:EMET (0)

Anonymous Coward | about 8 months ago | (#46331591)

I don't think you understand that comic. Did people love and highly-rate EMET for its features that weren't security related? I didn't even know it had such features much less attracted any praise.

"Researchers took a real-world IE exploit" (0)

Anonymous Coward | about 8 months ago | (#46331335)

So basically if you don't use IE, then your EMET isn't vulnerable to this?

Wait a second... (0)

Anonymous Coward | about 8 months ago | (#46331365)

"...complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations". All of these mitigations are pretty much state of the art and mandatory with most binaries and OS's compiled/built these days. It wasn't clear from the article if these were all generally bypassed or if something about EMET's implementation of them were at fault. Did they really get lucky with ASLR (1/256 chance), bypass DEP and heap spray detection, and exploit someone's IE session running as a std user?

Re:Wait a second... (1)

ledow (319597) | about 7 months ago | (#46333005)

Maybe you should read the paper they link in.

Basically, most of the security is incomplete or easily ignored / bypassed.

On a stock system, with EMET defaults enabled, there are certain critical things that aren't done (hooking an old API that marks memory as executable, etc.). Even if they could be done, the way I read through the paper suggests that there are SO MANY alternatives they could have used that it's going to be finger-in-the-dyke hole-blocking rather than a blanket fix.

A lot of the things they try to do (e.g. roll back to the caller of a function, disassemble the code and see if it came from a direct jump or a proper CALL, etc.) aren't done properly or are worthless (in this example, they just get the MS VC runtimes to do the call "properly" with data they control).

They seem to be able to run arbitrary code via their exploits and they don't pick out any one particular exploit. Most of their work is about punching holes AROUND EMET security, not crafting a one-off exploit, and pretty much they appear to succeed. Most of the things they use are merely small tweaks to existing XP exploits and things like that.

At many points they just say "Or you could do this in a million other ways". So it's not that they've found a one-off hole through these things that works 1/256th of the time by chance, they literally walk around all the checks and security by doing some quite simple things.

And, yes, they end up running calc.exe or whatever they want at the end of it, without EMET or any of the listed protections kicking up a fuss.

Re: Wait a second... (0)

Anonymous Coward | about 7 months ago | (#46336079)

This paper is trash. The basic argument is if you download an exploit that bypasses basically all of the exploit mitigations, then it's possible to bypass the remaining few trashy mitigations that are there as a last ditch effort. I should've stopped reading when I saw a screen full of python with hardcoded addresses.

It's a long "look at me" paper with little to no value.

ep?@! (-1)

Anonymous Coward | about 8 months ago | (#46331873)

Idiomatic ramifications (1)

mordejai (702496) | about 7 months ago | (#46332773)

So... EMET is SHEKER?

experience (1)

ynp7 (1786468) | about 7 months ago | (#46337397)

Someone at Microsoft has a really creepy obsession with the word "Experience." Just stop already!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?