Windows XP Support Has Ended

A long time ago I posted an article entitled Windows XP – Abandon Ship. That was nearly one year ago today. And just a few days ago XP officially stopped getting support and patches from Microsoft.

I’d like to clear up some misconceptions that people still seem to have.

You can not be secure on Windows XP. In truth, it’s been a lost cause for quite some time, but Microsoft has been pretty good at dealing with threats through an active approach. Shatter attacks devastate XP machines due to poor privilege separation, but Microsoft addressed this issue decently with a few patches and by lowering service permissions.

Patches are not coming anymore. Support is gone. Do not expect the next big attack to be swiftly put down.

But what does that mean for you, XP user?

It could mean nothing – attackers may not care. We’ve never had such a widely used piece of software go out of support, so many people are still on XP. As far as I know this is unprecedented. Predictions are meaningless – I can not tell you what attackers will do, only what they can do.

So, as always, if you’re using XP or any unsecured system you will be playing a game of chance and not skill. It becomes ‘any attacker who wants to’ as opposed to ‘any attacker who can’ when it comes to getting into your system.

Is that a system you want to rely on?

I’ll also take this time to say that no one should be extending support for XP. Notably, Google Chrome will be continuing to patch XP. To me this is nothing but a false sense of security. Google Chrome relies heavily on its sandbox to protect its users, but any sandbox on Windows is going to rely entirely on a secure operating system. So the sandbox is very clearly not a huge barrier because the unpatched XP kernel and services will be easily leveraged for a full sandbox escape.

No one should be encouraged to use XP now. Take no pride in it- you’re gambling, that’s it.

“But I run EMET! You said EMET is great!”

EMET is awesome. And largely useless to an attacker on XP – while it’s a cute way to push back patch time on systems by a little bit it is by no means a significant barrier when basic memory corruption mitigations are not even supported on the operating system.

“But I run NoScript”

I love NoScript – great piece of software. But what will you do when a kernel vulnerability in text parsing is being used in the wild? You’ll get infected.

I really have very little to say here. XP is not securable. It wasn’t a year ago but it really more than ever is not.

I’m not saying you’ll get infected. I’m not saying that every XP machine will be linked to a botnet in a year. I’m saying that you are not secure, and anyone who wants to take advantage of that will not have a hard time.

Windows Hardening Guide

Collaborative post by @0xdabbad00 (0xdabbad00.com) and @insanitybit (insanitybit.com)

 

Audience

This guide is focused on Windows Vista, 7 and 8 systems for personal use.  This guide is not concerned with the following:

– Not Windows XP or earlier because they simply do not have the security features necessary to securely use.  A lack of ASLR and SEHOP, no integrity levels, a kernel with exposed attack surface, and a general lack of privilege separation makes securing XP a task best left to science fiction.

– Not enterprise environments, though some of this information can certainly translate over

– No IDS, DNS log monitoring, or other network related activities that are usually only reasonable to spend time on in enterprise environments.

Strategy

Disrupt, deny, and degrade attacks through reduction of attack surface area and implementation of modern mitigation techniques.  Finally, prepare for the worst, assume APT.

Reduce Attack Surface

Vulnerabilities require one thing – code; if the code exists, so will vulnerabilities. The best way to avoid being exploited is to ensure there as few vulnerabilities as possible for the attacker to exploit.  The simplest and most effective way to do that is to minimize the amount of software on the system – less running code means less places for your attacker to poke at.

There are some key areas that are commonly attacked:

1) PDF Reader:  If possible uninstall Adobe Reader and use Chrome or Firefox’s built in PDF reader.  If you must use Adobe Reader ensure that Javascript is disabled and that Protected Mode is enabled in the security settings. There will be other steps in the guide for hardening your PDF reader further.

2) Java: Java is one of the most highly exploited programs on Windows systems. It’s a very easy target for attackers, and this is unlikely to change for a long time. If you can’t remove Java altogether I highly suggest changing your browser settings to “Click To Play Plugins”.

3) Windows Services: Windows, like any other mainstream OS, comes with a ‘default compatible’ attitude – it has to work for everyone. That means it comes with a large number of services running by default. These services are exploitable, and have been used for local privilege escalation in the past. Disable any Windows services that you don’t need. Deciding which services you do or don’t need requires a bit of research, as different users require different things.

For other software you’ve installed, such as an instant messaging client or torrenting client, always ensure that you have the latest version and keep track of security releases.  Many software applications have their own auto-update mechanisms, make sure you enable it if you don’t think you’ll stay on top of patching yourself.  You can also use software like Secunia’s PSI which will scan the software you have installed to ensure it is up-to-date.  Secunia PSI can be useful to install once and check for out-of-date software, but it’s somewhat awkward to use and have running regularly, so I uninstall it after running it once. Alternatively you can use the FileHippo updater, which is portable and will check for any out of date software in its repository.

 

Disrupt Exploits

Given the possibility that your software may be vulnerable to 0-day threats or known threats that have not yet been patched, the next line of defense is to use techniques that disrupt exploits from being successful.  This is what EMET does.  It takes a bit of configuration, so use insanitybit’s write-up as a guide: http://www.insanitybit.com/2012/07/26/setting-up-emet-3-5-tech-preview-9-2/

 

If an exploit does manage to get execution, the next line of defense is to break it’s ability to work correctly by denying it access to different APIs.  The best solution for this is AmbushIPS by @scriptjunkie1  This will protect best against ROP based exploits (which usually disable DEP as one of their steps which AmbushIPS check for), but also against exploits which have obtained full arbitrary execution.  If the attacker knows your are using AmbushIPS, he could likely modify his exploit to work around it, so to some degree this is security through obscurity, but setting up an IDS/IPS can prove very beneficial to those willing to manage them.  You can also write your own signatures for AmbushIPS to check for, which adds further unknowns for attacks.

 

AmbushIPS cannot only block exploits, but it can also log chosen Windows API calls to a remote server.  This could be helpful in identifying when an attack occurred and how, post-mortem.

 

Block Payloads

Although the stage in which an attacker launches their payload is both optional and late in the game, those looking to improve their security may look into AppLocker, an Anti-Executable security solution available for the more enterprise oriented Windows editions (Windows Server 2008 R2, Windows 7 Ultimate and Enterprise, Windows Server 2012, and Windows 8 Enterprise). Anti-Executable software works by preventing processes from launching based on a whitelist and blacklist. If Firefox.exe is running, and it tries to run evil.exe, and evil.exe is not whitelisted, then it will not run. This is most helpful for preventing malware that uses legacy techniques, and making it more difficult for an attacker to gain persistence.

AppLocker rules come in three types: path, hash, and my favorite, publisher.

A path rule is really quite weak. It basically says that ‘only files from this path can execute’, which means that all an attacker has to do to bypass that rule is write to the path and execute.

Hash rules are much more difficult to get around, but they’re also horribly difficult to maintain. Every time your program updates you need a new hash.

Publisher rules are based on certificate information. This is much easier to deal with, as it’ll only allow specific programs to run, but it won’t have to be updated for every program update.

While AppLocker is not enough for any attack that accounts for it, it can be useful when layered on top of other techniques. Just be sure that you realize its shortcomings.

 

Prepare For The Worst

Given the possibility that your laptop could just simply be stolen, encrypt your data with TrueCrypt (free) or Windows BitLocker (if you have Windows Enterprise or Ultimate editions).  Any and all sensitive information (ex. proprietary code for your company if you are a software developer) should generally be stored in some type of encrypted container.  Be aware that if you try to only encrypt specific data, Windows will still save a hibernation file (a copy of the RAM) to the system partition which may contain your sensitive information.

Here are guides for TrueCrypt and BitLocker.

 

Security advice not specific to Windows

Your browser is your main attack surface on a personal system, so take efforts to secure that by using various extensions (NoScript and HTTPS-Everywhere). You can find guides for securing Firefox and Chrome here and here. As a user if you secure your browser you’re securing the area that most attackers will attempt to exploit.

Many websites now offer dual-factor authentication, such as GMail and Facebook.  Take advantage of these, so you don’t end up getting locked out of your own email and social network sites if you ever get owned.

Do your banking from a different computer that you use infrequently, but still keep up-to-date on patches!  Have your various website accounts send password resets to an email account that you only access from this banking computer. Make sure you’re connecting to these websites through a secure and trusted network.

 

Conclusion

There is a lot of security software for Windows out there: Some legitimately adds protection, and some unfortunately exposes you to more attacks than it protects you from.  It’s impossible to cover it all in a single post, so we tried to stick to the built-in and free tools that are most important.

If you follow this guide you’ll be making an attackers job much more difficult. Though there is no silver bullet, and Windows security software is somewhat limited, you can use this guide to significantly improve your chances when facing the latest 0-day exploit in your browser.

As always, if you have suggestions for the guide, corrections, or general comments, please feel free to leave that all in the comments section and we’ll have a look.

 

Chrome Gets Hacked – Pwn2Own 2013

So Pwnium 2013, held at Cansec West, started today. And while details of the attacks aren’t out, one in particular stuck out to me. This post can be considered something of a “Part 2” to my “Securing Insecure Systems” because it highlights the absolute number one most important thing – a secure kernel is necessary for a secure system.

MWRLabs was the only contested booked for Chrome hacking, and they were successful, leveraging initial RCE/ASLR bypasses on Windows 7 to gain access to Chrome. From there they exploited a kernel vulnerability, and that’s where the fun is.

We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.

What people need to realize is that no matter how tight Chrome’s sandbox (Untrusted has no read/write access to the  entire file system, and that’s where they started) there’s an entire complex full-of-vulns kernel sitting right there, ripe for exploitation. And MWRLabs took advantage of that – they broke through the sandbox.

And what does that prove? It proves that no matter what the hell you do to restrict things like file access, if you leave your kernel exposed, you are vulnerable.

On Linux I see, time and time again, that people feel they don’t need PaX/Grsecurity. These people state “Oh, well we have SELinux”. This proves that MAC is not enough. You’re trying to solve an insecure kernel by putting a piece of code in your kernel that restricts file access… nope.

Thankfully, on Linux, there are ways to limit kernel attack surface. You’ve got seccomp mode 2 filters, which filter access to the kernel. By limiting kernel attack surface you make the kernel more difficult to exploit – though this does not negate the need for a patched and hardened kernel.

So what do you want to take from this?

1) No. You aren’t secure if you don’t patch.

2) No. You aren’t secure just because you use SELinux.

Windows 8 Metro Isn’t So Bad

Windows 8 ships with a new User Interface that’s gotten a lot of flack but the truth is that I’ve found it very easy to adjust to and it hardly differs from Aero for my usage. If you look at the UI as a whole, at every part, then it looks much further from Aero, but if you just focus on the parts that the average person is going to use… it’s really quite similar.

Here’s a picture of what I’m staring at 99% of the time I’m on my computer.

Image

Hardly a major change from Windows Vista or 7. The only noticeable change for me is the start menu, which is now a start ‘screen’.

Image

 

That’s a fairly large difference, but not wholly unwelcome. There are benefits, such as having live tiles and the large icons are easy to read, and there are downsides, such as being taken from whatever you’re doing and being put entirely into this new menu.

It doesn’t interrupt my workflow, personally. 

This isn’t really a review of the UI but I think people should understand that while as a whole the user interface is very different, when you cut down to the bits you’ll interact with, it’s almost identical to Windows 7.

And if you’re after security Windows 8 is going to outperform Windows 7 there, especially after further hardening.

 

Windows 8 With EMET Is Surprisingly Stable

I’m using Microsoft Windows 8 and I have been since just a few days after the official release. Naturally EMET (click here for more info) is one of the first programs I install on any Windows OS and with ATI now supporting ASLR with the 12.7 and up drivers I’ve set my system to the maximum settings for all categories.

Image

Essentially the three major exploit mitigation techniques, DEP, ASLR, and SEHOP, are forced on all executables on the system. The default setting for both DEP and ASLR is Opt-In, which isn’t very secure (though all new programs ship with DEP at this point due to compiler default flags) so by ignoring program settings and forcing these techniques system wide EMET makes the system more secure.

The downside is potential compatibility issues. So far I’ve only had issues with CCleaner’s installer, which does not like ASLR, although CCleaner itself does work fine with ASLR enabled.

Anyone looking to really secure a Windows system against attack should consider setting EMET up this way. To see how to enable ASLR to Always On via EMET just click here.

Remember, to get the full benefit of EMET you should also make use of the per-application settings, which will enforce multiple techniques other than DEP, SEHOP, and ASLR. And if you don’t mind Metro you should consider moving to Windows 8 as it has significantly improved ASLR.

Just got Windows 7 Installed

So as you may have read I’m now using a 128GB SSD. I’ve allocated 87.4GB of that space to Windows 7, which I’ve secured with EMET (DEP Always On, SEHOP Opt Out, ASLR Always On).

The vast majority of this space is going towards games. Borderlands is a full 21GB (don’t ask, special version) and Skyrim is another 7GB or so.

I have another 40GB of space for my Windwos partition and about 25GB for Ubuntu. Plenty. I could fit a whole other OS on here.

My Windows Isn’t Super Secure

While my Ubuntu install is configured with AppArmor and Grsecurity/ PAX (although due to some issues with Ubuntu I don’t get the full benefits of PaX and I’ve been too lazy to sort it) my Windows only runs EMET. That’s the only program I use for security – DEP is Always On, SEHOP is Always On, ASLR is Opt In (damn AMD.) 

On top of that I rarely boot into Windows so my Java is currently three patches behind and I go days without Windows updates etc.

Going from my much hardened system to that is strange. I could probably do more but not without third party software.

The Reasons I Use Linux

I was a Windows user my entire life. I’ve only been using Ubuntu since April but there’s a few reasons why I can’t imagine going back.

1) Upgrades

Upgrading on Windows means buying a new OS and, in the case of Windows 8, getting used to an entirely new user experience. On Ubuntu I can use pretty much any UI I want and the experience is pretty much the same even if the back-end changes. Yes, moving to Unity would be a huge change from Gnome 2 but, unlike Windows, I can always move to Gnome 2 if I want.

That brings me to my next point.

2) Freedom and Choice

I can do anything to my system. The source code is available so I can modify it at the absolute lowest level if I feel inclined. I personally am able to compile my own software, including my kernel, to ensure that my OS is tailored down to the last byte for me.

3) The UI

I don’t get Unity hate. I love it. I have all of the shortcuts I could ever want (Super + W, Alt + Tab, Alt + Drag, Super + Direction) and it’s working very well for me.

4) Security

I don’t really worry too much about my personal computer’s security. I compile a pax/ grsec kernel because I can, that’s literally 99% of the reason I do it. But it’s because I can do that that I feel more secure on Linux. AppArmor doesn’t have anything similar on Windows, AppContainer might possibly change this.

5) Updates

Windows is such a pain in the ass to update. Update Flash, update Java, update my browser, update Skype, update Pidgin – all of this has to be done individually and it’s a pain. On Linux it’s all handled automatically, which makes for a much easier and more secure time.

These are only a few of the reasons I chose Linux. There are a thousand little reasons. I keep Windows around for games and a few other reasons but I rarely boot into it.

I’m Back On Windows

It’s a bit of a long story but I’ve completely screwed up my Ubuntu partition. I reformatted it and all was going well until ATI driver issues, which I just don’t feel like dealing with.

It’s not really a Linux issue… it’s just a “tired of getting my computer to work” issue. Honestly, Ubuntu has been amazing and I feel it’s significantly more secure than Windows. It’s been really easy to use up until now – I just don’t feel like dealing with it.

I’m just gonna make due on Windows 8 for a while and I won’t think too hard about the lack of proper MAC.

Chrome Sandbox Change On Windows

Up until recently the renderer for Chrome tabs ran at a ‘Low Integrity’ meaning that it could only read/write to low integrity files and folders. Perhaps coincidentally (though I doubt it) after the pwnium exploits broke out of the Chrome sandbox Chrome now runs the renderer at untrusted, meaning it can only access ‘Untrusted Integrity’ files and folders.

By default there actually aren’t any areas of the Windows OS that have Untrusted integrity so this pretty much means the Chrome renderer no longer has disk access capabilities.

Google hasn’t said anything about this, which I find odd, so perhaps it’s a bug in process explorer? Doesn’t seem to be but who knows.

Either way, it’s a significant restriction if they’ve managed to do this.