Java Exploits Will Continue To Rise

Before I want to start I want to say that as a language I like Java and all animosity I ever express towards Java is likely really meant for Oracle.

Oracle is officially promoting Java 7 (u4) to users now. It offers no real security benefits in terms of system compromise but it does depreciate a few broken hash methods like md4. There’s some performance improvements as well but it’s Java so, yeah.

And, once again, they’re not removing old versions of Java when they update users to 7. Yep, Java 7 installs to the side of Java 6. That’ll work out well.

Java already makes up the vast majority of exploits used against Windows systems and now users will likely have two versions installed without realizing it. Not only is that two versions of software that’s exploited daily, they probably won’t even realize the first version wasn’t overwritten so they’ll likely not patch it either. The Java Updater is pretty broken, requires you give it UAC (task scheduler wtf) permissions when it runs, and it’s on like… a 1-week schedule or 1-month by default agh it’s actually painful to talk about.

Incidentally Adobe Flash Player 13 for Firefox is going to be sandboxed by default similar to what Chrome does. It’s not a super strong sandbox but unlike Oracle Adobe actually gives a damn about security (I know, I know) and they’re made really big progress with improved ASLR and this new sandbox, which has involved serious cooperation with vendors.

So, Flash, which is the most exploited software after Java, is now going to be significantly more secure on ~20-30% of computers. Attackers could break the relatively weak sandbox given enough time but why the hell bother? You’ve now got two Java versions sitting on systems ready to be exploited.

And, because it’s Java, exploit once – run anywhere! In a study by (I believe) Sophos they actually found quite a few pieces of Windows malware on OSX machines. The OSX users weren’t infected but they’d run into an exploit that had dropped a Windows payload. I’m betting you can guess which program was dropping them.

I’d say EMET + Java = enough but that’s a lie. JIT and EMET don’t go together, it’s irrelevant really for a lot of the exploits. DEP/ASLR/EAF helps only because it’s the JVM that’s so broken and I absolutely still recommend running EMET with your Java (see my guide) but your best bet is to just uninstall it. Seriously, you can’t rely on EMET here – uninstall it.

Linux users just AppArmor Java (see my guide) and you’ll be fine. Updates are handled by the OS so patching isn’t an issue anyways. Feels good.

Universal ASLR Bypasses And How To Solve Them

Address Space Layout Randomization is an exploit mitigation technique that focuses on preventing Return Oriented Programming attacks. It’s become one of the “must have” tools for a secure program (like DEP) and it’s preset in all modern user-oriented operating systems.

Mitigating ROP is pretty important as most modern exploits take advantage of it. And ASLR would be entirely effective in an ideal world where every single part of address space is randomized and 64bit address space is impossible to bruteforce and heapspray doesn’t exist. We don’t live in that world and there are universal ASLR bypasses for Windows and Linux, heapspray does exist, and the majority of users are stuck in a 32bit address space (and 64bit vanilla ASLR isn’t necessarily impossible to bruteforce).

Windows is actually pretty on top of things with ASLR (as of Windows 8) and /FORCEASLR but there’s always going to be a way around it (unless some things seriously change.)

So what’s the answer?

Well, for non-performance critical applications perhaps a solution like Gadgetless Binaries would be a viable option. Gadgetless binaries would compile code in such a way that an attacker would be unable to make use of static address space instructions to form their attack.

There is a performance hit here so I’m not saying to compile everything with it, but for security critical applications why not? There are specific areas of Windows address space that are loaded in the same exact place every time – why not compile that area with gadgetless binaries and avoid situations like this?

There’s also a somewhat less effective In-Place Code  Randomization technique and even less effective (though still welcome) EAF, which is what Microsoft has implemented.

Perhaps I’m just missing something. Maybe this would require paying out or some such thing but it seems like a great idea to me as ASLR isn’t going to solve every problem. At least not with current implementations (outside of PaX ASLR, which makes use of many other features via Grsecurity to prevent attacks against ASLR).

Sources:

http://iseclab.org/papers/gfree.pdf

And Now… The Worst Cyber Attack In History

That is the opening line to a youtube video that calls the attack “massive… historic.” Something about the British accents makes it sound so damn serious too… “The most complex *intense pause* they’ve ever seen.”

I wrote about The Flame in a post the other day and I was absolutely pointing out that this is a sophisticated and, yes, scary piece of malware.

While The Flame may be scary it is not all that new. It is highly modularized, more than anything in the past, but the exploits used are old news and the data collection, albeit it intense, isn’t new either.

These words like “attack” and “cyber war” and “super weapon” are scary. I’m not even running Windows and they make me a little scared.

I think Flame is definitely not your typical malware but is it deserving of such terms? It’s new and we’re learning more about it daily, but the media isn’t saying “We’re finding new information blah blah blah” it’s jumping straight to panic.

Where in the report is “Here’s how to stay safe” or “Don’t panic, the vulnerabilities seem to have been patched.”

Anyways, since I’ve already mentioned it, to stay safe you can run Windows Update right now (seriously, stop reading, now) and follow this guide to securing Windows.

Securing Windows

Windows is the most popular and most targeted operating system but a lot of the more common attacks on it are trivial to defeat. This guide will cover some  simple steps to secure Windows and keep your system safe.

Reducing Attack Surface

This should be the first step to securing literally any operating system. Code is attack surface, running code is valuable attack surface, internet facing code is a gold mine.

First thing’s first go ahead and run msconfig.exe. Disable startup applications you have that aren’t important like some toolbar service. Don’t disable applications looking to update.

You can also look in services.msc and disable what you don’t need. Personally, I don’t print from my computer, so right away I can disable the Printer Spooler service. This service has been involved in many infections and an exploit in it allowed for Stuxnet to propogate. There are other services like Computer Browser that you might want to disable. Don’t disable anything without understanding what it is, I suggest you check this wiki out for explanations:

http://www.blackviper.com/windows-services/

I don’t know who that guy is or why that site is the way it is… but the wiki is fine.

You should also uninstall any programs you don’t really run. Maybe you have Java installed but you don’t really know why – get rid of it. Java’s a massive hole on your system. Maybe you have 5 torrent clients for no real reasons, remove 4 of them. Just get rid of what’s on your computer if you don’t need it.

Run EMET

I’ve posted about EMET twice now with an explanation as to what EMET is and a guide to set it up. I highly suggest you follow that guide to the letter.

EMET is probably my favorite tool for Windows security. It’s not going to prevent every exploit ever but pretty much any automated exploit is dead in the water and even a targeted attack will be more difficult against a service running EMET.

If you follow my guide you’ll have many of the critical applications running EMET.

Stay Patched

Staying patched is the easiest way to stay secure. It’s a lot easier for bad guys to exploit known vulnerabilities than to come up with new ones. Even if you’re running EMET and you’ve reduced attack surface if your system is full of vulnerabilities that are well known to every skiddy and hacker out there you’re going to be an easy target.

Set Windows to automatically update.

Guide to set up automatic Windows updates here.

You should also check for browser and plugin updates frequently as these are very commonly exploited.

If you use EMET, uninstall and disable unnecessary software, and keep your system up to date you’re going to avoid most threats for Windows. This isn’t all you can do to secure Windows but if I’ll recommend the above three tips every single time. They’re pretty universal for securing Windows users.

EMET v3.0 – What’s New and How To Set It Up

Microsoft has released version 3.0 of EMET (Enhanced Mitigation Experience Toolkit), a must-have security tool for Windows. To summarize my previous post on EMET, it is a lightweight exploit mitigation tookit that forces programs to make use of modern security techniques – simply put it makes programs more secure. This guide will show you how to set EMET up to secure your Windows system without infringing on your program compatibility. I highly recommend you follow this guide and set EMET up accordingly. I’ve included screenshots to make this guide as clear as possible – setup for 3.0 is just a few minutes.

The major changes in EMET 3.0 are the new pre-made profiles, which make setup easier, and the notifier. EMET will now give a notification when it detects an exploit and you can read about the new pre-made profiles later down the page. You can disable the notifier through msconfig.exe or exit it by clicking the EMET icon in your system tray. I suggest you keep it on unless you’re running on a very old system.

EMET has two main interfaces: one to deal with system wide settings and one to deal with application specific settings.

System Settings:

When you open up EMET you’ll see:

Click “Configure System” and you’ll be brought here: (Your settings will look different)

My suggested configuration is:

DEP: Always On

SEHOP: Always On

ASLR: Opt In

What this means is that all programs will be forced to use DEP and SEHOP and programs have the ability to opt into using ASLR. If you are noticing instability you can change the DEP setting to “Opt-Out” or back to “Opt-In” but I strongly recommend you try Always On first. SEHOP can only be set to “Opt-Out” on Windows 7.

That’s all it takes to set EMET up system wide. (And a system reboot, which you can do after following the rest of this guide.)

Note: ATI Drivers 12.6+ are now ASLR compatible. You may want to give ASLR Always On a try!

Application Specific Settings:

EMET 3.0 makes securing individual programs incredibly easy. Click the “Configure Apps” button on the bottom right of the EMET GUI.

You’ll see this:

Go to File -> Import and navigate to /Program Files(86)/EMET/Deployment/Protection Profiles/all.xml and open it through EMET.

This will add a large list of programs, already configured, to your EMET list. You can change this up if you like but right away your system is much more secure. The default settings seem to cover the most important areas.

If you want to add another program just click “Add” and navigate to the .exe.

The highlight of the preconfigured .xml is that all Java executable files as well as your browser and browser plugins are configured to use EMET. These are the most commonly exploited programs and hardening them is a critical step in securing your system.

You may receive a notification from the EMET Notifier. A new feature to 3.0 that lets you know which security mitigation was just used to prevent an exploit.

 

 

 

That’s all there is to setting up EMET. This should take just a few minutes (including time to download) and it’s the first step to securing Windows. I hope this guide helped.

Tip: If you notice an EMET’d program acting out try disabling EAF. It can cause issues.

You can download EMET from:

https://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx?Redirected=true

Note:

It is worth stating that just because you use EMET does not mean you can forego patching. While EMET is an incredible tool for securing Windows it is not a silver bullet, you must keep your system up to date.

Sources:

http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

EMET – A Windows Security Tool That Everyone Should Use

Techniques like ASLR and DEP have made exploitation of modern software more difficult. And yet many programs still don’t make use of them. Why? Well, sometimes it’s a matter of compatibility but very often it’s simply a matter of the developer not knowing or not caring enough to implement them.

EMET sets out to fix this.

There are very few programs that I think belong on every single computer. EMET is one of those few.

What is it?

EMET is the Enhanced Mitigation Experience Toolkit and it’s pretty damn cool. The goal of EMET is to prevent programs from being exploited by forcing them to make use of modern mitigation techniques (EAF, SEHOP, ASLR, DEP, HeapSpray, Bottom Up Randomization.)

The Good

EMET attempts to bring insecure programs like Java (which is the most exploited piece of software for Windows users) up to speed in terms of security. By running Java with EMET you can prevent a ton of exploits that would have otherwise led to infection. You can also run your browser with EMET to prevent Flash/ browser exploits.

EMET also uses virtually no resources. EMET.dll is something like 44kb and that’s all that’s loaded into programs. The mitigation techniques should have a negligible effect on performance as well.

Compatibility is easy to maintain as EMET can be used on a per-program basis. I suggest that you run your PDF viewer and Java with EMET and consider running your browser as well.

Windows XP users should be downloading EMET as soon as possible. XP doesn’t have any form of ASLR but EMET will provide EAF, which is another ROP mitigation (though less effective.)

The Bad

EMET is not a replacement for an antivirus. It offers absolutely no detection of malware or malicious activity – its only goal is to prevent exploitation.

Even with all of those mitigation techniques there are ways around them; DEP and ASLR just don’t apply to every situation ie: JIT Spraying, which needs a whole separate class of mitigation. EMET drives up the cost of exploit, it doesn’t eliminate the threat.

Some of the techniques like EAF and HeapSpray are also easily bypassed, they’re more for defeating automated attacks, which is still valuable since that’s what the average user will come across.

There are potential compatibility issues with EMET. Very old programs can’t handle DEP and they’ll potentially break even if you just install EMET. It sucks. I suggest you contact the developer and remove EMET in the meantime.

It should be plain to see why EMET is such a significant security tool. Forcing horribly insecure programs like Java to start acting like modern software is probably the most important first step in securing Windows. EMET is a must have, whether you’re on XP, Vista, or 7.

I’ll be posting a guide with screenshots on how to set up EMET very soon.

Grab EMET Here:

https://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx?Redirected=true