Java Exploits Will Continue To Rise

Before I want to start I want to say that as a language I like Java and all animosity I ever express towards Java is likely really meant for Oracle.

Oracle is officially promoting Java 7 (u4) to users now. It offers no real security benefits in terms of system compromise but it does depreciate a few broken hash methods like md4. There’s some performance improvements as well but it’s Java so, yeah.

And, once again, they’re not removing old versions of Java when they update users to 7. Yep, Java 7 installs to the side of Java 6. That’ll work out well.

Java already makes up the vast majority of exploits used against Windows systems and now users will likely have two versions installed without realizing it. Not only is that two versions of software that’s exploited daily, they probably won’t even realize the first version wasn’t overwritten so they’ll likely not patch it either. The Java Updater is pretty broken, requires you give it UAC (task scheduler wtf) permissions when it runs, and it’s on like… a 1-week schedule or 1-month by default agh it’s actually painful to talk about.

Incidentally Adobe Flash Player 13 for Firefox is going to be sandboxed by default similar to what Chrome does. It’s not a super strong sandbox but unlike Oracle Adobe actually gives a damn about security (I know, I know) and they’re made really big progress with improved ASLR and this new sandbox, which has involved serious cooperation with vendors.

So, Flash, which is the most exploited software after Java, is now going to be significantly more secure on ~20-30% of computers. Attackers could break the relatively weak sandbox given enough time but why the hell bother? You’ve now got two Java versions sitting on systems ready to be exploited.

And, because it’s Java, exploit once – run anywhere! In a study by (I believe) Sophos they actually found quite a few pieces of Windows malware on OSX machines. The OSX users weren’t infected but they’d run into an exploit that had dropped a Windows payload. I’m betting you can guess which program was dropping them.

I’d say EMET + Java = enough but that’s a lie. JIT and EMET don’t go together, it’s irrelevant really for a lot of the exploits. DEP/ASLR/EAF helps only because it’s the JVM that’s so broken and I absolutely still recommend running EMET with your Java (see my guide) but your best bet is to just uninstall it. Seriously, you can’t rely on EMET here – uninstall it.

Linux users just AppArmor Java (see my guide) and you’ll be fine. Updates are handled by the OS so patching isn’t an issue anyways. Feels good.

Ubuntu Developer Responds To SecureBoot

I’ll preface by saying that this is not an official statement on behalf of Canonical as far as I know, simply a post on /r/ubuntu. The user is the Ubuntu Community Manager and his post about SecureBoot pretty much sums up my own opinions.

His post in its entirety: 

I think we would all agree that this is terrible that Microsoft are putting other Operating Systems in a position where either (1) they have to sign keys to boot, or (2) we have to ask users to switch off something in their BIOS that has “secure” in the title.

While mal-ware is indeed a threat, and quite nasty, I would have preferred to have seen a means in which a solution can be found that is not controlled by a large corporation who themselves has an Operating System product.

From an Ubuntu perspective, we are going to do everything that we can to ensure our OS boots on the widest range of hardware possible, and the story that Matthew Garrett tells is similar to our experiences in the Ubuntu world. Matthew’s story, and the challenges he has explored are not specific to Fedora, but to all Linux distributions.

I think the problem Microsoft is trying to solve is admirable…mal-ware at that lower level is dangerous, but I think the solution is putting companies like Canonical and Red Hat in a tough spot. [1]

This hits the nail on the head, really. Microsoft is trying to solve a problem and that’s great but in doing so they are putting distros and Linux users in a difficult place. As he says, it’s now a matter of supporting SecureBoot and paying VeriSign or asking users to disable a security feature.

The Importance Of Detection

I received a comment on one of my articles recently about antiviruses being useless and I’d like to talk a bit about that. I personally do not run any antivirus software – not on Linux Ubuntu 12.04 and not on my Windows 8 Release Preview despite the fact that Windows 8 comes with Microsoft Security Essentials by default.

Antiviruses are often considered a staple for security. The average user has an antivirus installed and that’s pretty much the central piece of security for them. It’s simply the most widely used method for security. But a lot of people, especially those with some knowledge about computer security, will tell you that antiviruses are not enough or even, as n=n+1 stated, entirely useless.

Why I Don’t Use Antivirus

I’m one of many users who doesn’t use antivirus software, and not just because I’m on Linux. The fact is that current antiviruses are stupid, the entire basis for their model is “If I don’t know it’s bad, I assume it’s good”, which isn’t inherently wrong but you should never really assume anything is good. It should be “If I don’t know it’s bad, I assume it’s bad and take precautions when running it.” Basically if the AV doesn’t flag the software the software has full access to my /user/ or /home/ folders and can potentially escalate.

Antiviruses are also a bit heavy. New on-access AVs are better about this but compared to other solutions that simply hook specific APIs and otherwise use virtually no resources it’s a lot. Disk and file access goes up and I just like to keep things shaved down.

Every antivirus relies on updates. If your AV isn’t up to date you’re vulnerable, it’s like trying to stay patched except attackers are creating malware 1000x an hour. And heuristics isn’t an answer with the current model, you’re either so low it’s useless or so high you’re bothering the user every 5 seconds with false positives.

Speaking of false positives, they all have them, and as soon as a user gets one single false positive the entire antivirus becomes virtually useless when protecting against social engineering. Social engineering is all about trust and if a user downloaded the file they already trust the file, the antivirus’s job is to be trusted more and every false positive seriously degrades that trust.

Why I Like The Idea

The idea of an antivirus is noble and I believe inherent to a proper security policy (which doesn’t exist currently.) Antiviruses attempt to make decisions about things that users are incapable of. As I said above if a user has downloaded a file that means they trust it. An antivirus tries to get the user to stop trusting it. It’s a good thing, just a horrible horrible implementation that hasn’t gotten better despite years of issues.

Heuristics is necessary for true security. Decision making is inherent to all security because everything comes down to a users decisions – visit the website or not, download the file or not, run the file or not, admin rights or not, etc. Users are not (and never ever will be, no matter how much education) capable of making these decisions. Heuristics act on a level that we can not, they can perform code analysis and behavioral analysis and correlate trends in malware with what they see. Our brains are amazing learning beautiful things but we’re better at the whole survival reproduction – leave file analysis to the experts.

So while I absolutely think that heuristics is not just important, but necessary, I wouldn’t touch an AV with a ten foot poll right now. They’re useless for a targeted attack, not all that useful even with automated attacks, and generally a pain in the ass.

That said, I also wouldn’t ever tell an average user to turn their AV off. Not on Windows at least.

Rogue Certificate Being Used In Wild To Compromise Windows

Coincidentally I’ve just posted about how broken the Certificate Authority system is and here’s an advisory (Microsoft Security Advisory (2718704)) not 5 minutes later from Microsoft talking about an ‘Unauthorized Digital Certificate’ being used in the wild against users.

There don’t seem to be any details but it seems that someone out there has either hacked or otherwise gotten their hands on a Microsoft certificate and they’re using it to perform attacks on users.

There isn’t much to do about this one without more details given. Just update Windows ASAP and you should be fine.

Just another example as to why the entire CA system is broken.

Update

It turns out that this certificate is used by the Flame malware, which would possibly explain why it was reportedly able to infect fully patched Windows 7 computers.

According to Microsoft

Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.

The implications of this being that Flame could bypass default Windows 7 UAC or potentially attack the system in other ways (depending on what the cert can do.)

You Don’t Need An Antivirus With Windows 8

With Windows 8 out a lot of users are wondering whether they need antivirus with Windows 8, or if they need to pay for an antivirus, or do something else entirely. In my opinion if you’ve been paying for an antivirus for Windows XP, Vista, or 7, you can consider cancelling that next subscription if you’re moving to 8. In my last post about Windows 8 security I glazed over Microsoft Security Essentials and I wouldn’t call what I said ‘positive.’ For my quick non-security oriented review of Windows 8 Release Preview click here.

This post will highlight why MSE is the type of antivirus a consumer needs and why it might be the right choice for Windows 8 users.

Microsoft Is Best Suited For The Job

The fact is that Microsoft created Windows. It’s a closed source project and antivirus companies spend a ton of money just trying to figure it out. Microsoft has a massive advantage here. They know what their code is like, they know where there’s most likely to be a hole, they have the ability to “tap” systems with crash reports or opt-in data collection on a level no antivirus company can ever match. They simply have the most data.

The fact that only Microsoft has access to the source code is one major reason why you should be trusting them to secure your system.

Years Of Practice

We’re a long way away from Windows XP. Windows is not so full of holes as it used to be, Vista brought many security mitigation techniques and a new MAC system to the operating system and Windows 8 expands further on that with new techniques and a new MAC system.

The Windows system has been hacked and torn apart for years and Microsoft has not sat idly by. The company has created new tools such as EMET, which are very effective at what they do. They’ve seriously improved their patch response time and there simply is no comparison between Windows 8 security and Windows XP.

Microsoft has seen years of malware. They know what they’re up against and at this point you’d better believe they know a few ways to fight back.

Reinforced Throughout The Operating System

Microsoft has made it clear that Microsoft Security Essentials is just one layer. Windows 8 also includes SmartScreen, a reputation based heuristics filter that acts system wide to inform and protect users from unknown files that are potentially dangerous. The focus of SmartScreen is on 0day malware and samples that an antivirus might normally not catch.

Where MSE stops SmartScreen begins, picking up slack. Antiviruses are inhibited by their inability to deal with the unknown, something that they will always struggle with. SmartScreen aims to specifically deal with the unknown using heuristics based on file reputation. File reputation essentially checks how “popular” the file is – how many systems it’s been seen on. Only a major company could pull off something like this and Microsoft is absolutely the best company for it – no antivirus can be installed on more Windows systems than exist.

Windows 8 Was Built With MSE In Mind

The fact is that Microsoft didn’t built Windows 8 thinking “let’s create a system that works great with Sophos and Mcafee” they built a system to work with MSE and they built MSE to work with the system. Layered security means understanding which layers are important and which needs to be covered, having full control over every layer leads to a potentially more secure system.

Consistent Heuristic Scores And Low False Positives

AV-comapratives.com “grades” antivirus software and Microsoft Security Essentials does fairly well. It’s not amazing but it’s not terrible, and that’s fine because it’s reinforced by other areas of Windows. What it is, consistently, is quiet. Heuristics is basically a way of “guessing” something – you use heuristics for spam filters, antivirus, language analysis, anything where you need to guess. Naturally this is going to lead to wrong guesses and in an antiviruses case that’s a false positive. MSE has very few false positives, often the lowest or second lowest compared to other antiviruses. Almost all of the antiviruses that get higher heuristic detection scores also have tons of false positives (you can see the correlation) and I think that having few false positives is just as important as having high detection rates.

If my AV is constantly telling me that files that I know are good are actually bad I won’t trust it. And when the time comes and the file I think is good is actually bad and my AV alerts me I simple won’t believe it. We’re all familiar with The Boy Who Cried Wolf, same principal here.

So Is Windows 8 Impregnable?

Well, while I’m very pleased that Microsoft has stepped up its security I think there is still need for some set up to get the system closer to where it should be. I still don’t consider Windows 8 to be as secure as my own configured Linux system but there are significant improvements and for the average user I think we can expect things to go smoothly.

Much of what’s in Windows 8 is untested and may not work out well in the real world. I’m optimistic about some features and not so much about others. Time will tell. I’ve had the Windows 8 Developer Preview, Consumer Preview, and now Release Preview all installed so I have a fair bit of experience with it though.

And, of course, as Windows 8 popularity rises so will hackers interest in bypassing its features so it’s still important to take the extra measures and to keep up with patches. MSE has consistently had decent heuristics with low false positives, which I think is very important.

Windows 8 – A Quick Review

I’ve gotten around to installing the Windows 8 Release Preview and I figure I may as well post about it.

Windows 8’s most obvious feature is the new Metro UI, of which I am a fan. It’s gotten a ton of hate but it’s smooth and familiar in the right ways.

Does this look so different from what you’re used to?

The only really major difference is that the start menu (now a corner) is full screen.

If you can’t handle that I suggest you don’t upgrade because Microsoft has removed the old methods to get Windows 7’s Aero UI working on Windows 8.

I then proceeded to do what I always do on a new Windows installation, install EMET.

And then this happened.

I guess SmartScreen isn’t quite up to par yet as this happened a few more times later on. In the Developer Preview and Consumer Preview I got quite a lot of noise from SmartScreen telling me it doesn’t recognize applications. I’m not confident that users will appreciate this and I won’t be surprised if it’s disabled on most machines.

Still, DEP and SEHOP set to Always On works for me. I can’t do ASLR to Always On because ATI Drivers suck.

Metro also has “Apps”, which are run full screen. I checked out the mail app (and I’m not going to be posting my emails, just the spam folder) and I think it’s very nice.

My favorite app, however, is the weather app.

The app (after asking permission) figured out my state and it even comes with a cool live tile.

Not the most in depth review out there on the net, just a few things I took note of. The OS feels really smooth, it’s great looking, and if I weren’t already spoiled by Ubuntu (I miss alt + drag, super + W, and security) I’d be really pumped for Windows 8. I may be one of the few but I really like this new look and the security improvements would absolutely be enough reason for me to upgrade from 7.

Personally, I don’t think it’s going to do well. Users hate UI changes and this one’s major. I like Metro but I’ve also always liked Unity (I just hated how buggy it used to be) so I’m not going to assume anyone shares my opinion. While Windows 8 is definitely more secure and I absolutely love Metro more than Aero I just can’t imagine users adapting to it within the next two years. Time will tell.

As it stands, it’ll be nice to have it around for games.

Universal ASLR Bypasses And How To Solve Them

Address Space Layout Randomization is an exploit mitigation technique that focuses on preventing Return Oriented Programming attacks. It’s become one of the “must have” tools for a secure program (like DEP) and it’s preset in all modern user-oriented operating systems.

Mitigating ROP is pretty important as most modern exploits take advantage of it. And ASLR would be entirely effective in an ideal world where every single part of address space is randomized and 64bit address space is impossible to bruteforce and heapspray doesn’t exist. We don’t live in that world and there are universal ASLR bypasses for Windows and Linux, heapspray does exist, and the majority of users are stuck in a 32bit address space (and 64bit vanilla ASLR isn’t necessarily impossible to bruteforce).

Windows is actually pretty on top of things with ASLR (as of Windows 8) and /FORCEASLR but there’s always going to be a way around it (unless some things seriously change.)

So what’s the answer?

Well, for non-performance critical applications perhaps a solution like Gadgetless Binaries would be a viable option. Gadgetless binaries would compile code in such a way that an attacker would be unable to make use of static address space instructions to form their attack.

There is a performance hit here so I’m not saying to compile everything with it, but for security critical applications why not? There are specific areas of Windows address space that are loaded in the same exact place every time – why not compile that area with gadgetless binaries and avoid situations like this?

There’s also a somewhat less effective In-Place Code  Randomization technique and even less effective (though still welcome) EAF, which is what Microsoft has implemented.

Perhaps I’m just missing something. Maybe this would require paying out or some such thing but it seems like a great idea to me as ASLR isn’t going to solve every problem. At least not with current implementations (outside of PaX ASLR, which makes use of many other features via Grsecurity to prevent attacks against ASLR).

Sources:

http://iseclab.org/papers/gfree.pdf

A Tip For Those Looking To Lock Down Windows

In my last post I explaining why I won’t be buying ATI until they fix their insecure drivers. This reminded me that Windows does actually have a little-known ability to run the entire system with ASLR enabled. Of course, this can lead to instability and in the case of those of you running ATI cards you will BSOD immediately but if you’re willing to take the risk it’s one more way to lock down Windows.

First, I suggest you take a look at this guide for securing Windows and this guide for setting up EMET.

This short guide will get your ASLR Always On setting enabled in the EMET User Interface.

If you’ve followed the guides you can:

1) Open Regedit

2) Navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftEMET

3) Change ‘EnableUnsafeSettings’ to ‘1’

4) Go to your EMET GUI and System Settings – turn ASLR to Always On. If it isn’t there you may need to reboot first.

5) Reboot

Your system might crash in which case you need to go into Safe Mode and disable this. It should go without saying that this risk falls on you, I’ll feel pretty bad if I break your computer but there’s fair warning here.

So now instead of applications having to explicitly opt into using ASLR on Windows your entire system should be running with it. This will probably break a few programs but if it works, great, you’re somewhat potentially more secure.

Windows 8 Release Preview Is Out – Let’s Talk Security

I could take screenshots and do a full review of the Windows 8 OS but some other blog that gets paid to do reviews would just do it better so I’ll stick to what this blog is for – security.

Windows 8 has officially been released as a Release Preview, meaning that just about everything you see in this RP is what you’ll see in the final release. The biggest changes in Windows 8 are pretty surface – the highlight is an entirely new Metro UI, which features a full screen start page and various other major UI changes. There are also some big changes under the hood – Windows 8 is a lighter, faster OS than 7 with lower RAM usage and improved multicore support. And then there’s security…

ASLR

Address Space Layout Randomization (ASLR) is a mitigation technique first designed by PaX foundation. The idea is to randomize a programs address space (the range of virtually memory addresses that make up a process) in order to prevent Return Oriented Programming (a technique used to bypass Data Execution Prevention.) Essentially, because the attacker does not know where areas of the address space are they are unable to make use of that address space in a way that would otherwise allow further compromise of the system.

ASLR relies on the attacker not being able to guess the location of address space. They only have three real options (in terms of defeating ASLR):

1) Find part of the address space that isn’t ASLR enabled

2) Make use of information leaks

3) Bruteforce through the addresses

Windows 8 attempts to directly address (1) and (3.)

/FORCEASLR

In Windows 7- if I run a program like Firefox*, which is ASLR enabled but I use Norton Toolbar, which isn’t ASLR enabled I basically defeat the purpose of ASLR because there’s a predictable address. Windows 8 address this with /FORCEASLR, a compile time flag that will force the entire address space to be ASLR enabled (oversimplification, not entirely true, good enough.)

The benefits are obvious, simply using the /FORCEASLR flag in your program means that no other program will significantly degrade the effectiveness of ASLR.

*Firefox has actually solved this issue by forcing toolbars to use ASLR. It’s an outdated example but it works.

Improved Randomness

ASLR effectiveness necessitates the inability of an attacker to guess or predict locations of address space. If there isn’t sufficient address space or there isn’t sufficient entropy the ASLR won’t be effective and an attacker can bruteforce their way to a useful area.

Windows 8 has improved the random number generator and thereby increased randomness in ASLR.

For 32bit systems this is important. Virtual address space on a 32bit system is much smaller than that of a 64bit system (addressable space on 32bit is 2^32 as opposed to 2^64 for 64bit) so bruteforcing is much easier. Improved randomness will make this more difficult – though because of the small address space it’s potentially a lost cause.

Guard Pages

Guard pages work to prevent usable buffer overflows. Developers can make use of Guard Pages to protect areas of address space – when an attacker tries to overflow an area protected by Guard Pages, they’ll end up throwing an exception.

AppContainer

There aren’t a lot of details about AppContainer yet but it looks like Windows is finally getting proper Mandatory Access Control. The ability to apply finely grained application MAC is hugely beneficial both to preventing and limiting exploitation.

Programs don’t have to squeeze into low integrity anymore, they can use whole-process sandboxes (which aren’t actually better, just easier) to segregate themselves from the system.

The jury’s out on this feature. If it’s as powerful as AppArmor I’ll be happy.

Internet Explorer 10 Metro

IE10 Metro runs in the new Metro environment (WinRT) and is sandboxed from the rest of the system.  It also contains a built in Flash player, which Microsoft has integrated into the browser for improved stability, security, and performance. A smart move on Microsoft’s part as the Flash player is still necessary for viewing a ton of the internet and it is also one of the most commonly exploited applications.

Internet Explorer 10 Desktop

The desktop IE10 (and this applies to Metro) will make use of all of the new security mitigations like FORCEASLR and improved randomness. IE10 will also include an “Enhanced Protected Mode”, which implements a further least-privilege mode based on the earlier Protected Mode principals.

The enhanced protected mode continues IE’s least privilege model, which is great and it should prove more difficult to break out of.

Full System Smart Screen

Smart Screen is an application reputation and heuristics system. Previously it was built into IE9 and an NSS Labs report noted it blocking 96+% of malware (there isn’t enough research on the effectiveness, take that report with a golf ball sized chunk of salt.)

SmartScreen in Windows 8 is now system wide. If an application hasn’t been seen before by MS you get a little message saying “hey, we haven’t seen this before, be careful.”

Personally, I don’t like it and I don’t think it will be effective. That’s just me. I don’t think users are capable of making decisions based on information like that and it threw me a ton of “false positives” (not actually FPs as it’s not calling it malware, same principal) so my trust in its opinion of software is seriously diminished. It won’t be effective for the same reason an AV that throws false positives isn’t effective – if I can’t trust the product I’ll never know when it’s right or wrong.

We’ll see.

SecureBoot

SecureBoot is a much reviled feature as everyone though MS would be locking Linux out of Windows 8 hardware. As I posted about earlier Fedora is already working on implementing it. SecureBoot prevents untrusted code from running before the OS. This will prevent rootkits from bypassing full disk encryption and/or wedging themselves deep into the operating system. It’s a great security feature and I think it will be very effective.

Microsoft Security Essentials 

MSE is a widely used antivirus known for being pretty light and quiet – no false positives. It provides pretty decent detection ~50% when out of date and making use only of heuristics (most people probably don’t stay up to date) but I think we can expect that to fall.

As MSE has gotten more popular it’s also started to drop in performance. This is the case with any popular program. The first thing a hacker will do with their payload is test it against a number of antiviruses (automated tools exist for this) and if it passes by MSE but maybe Panda catches it they might release it anyway because MSE still makes up a huge part of market share.

Windows 8 will increase that market share and increase how seriously hackers take bypassing MSE. It’s detection, not preventative, so it’s flawed in that way.

Did I Miss Anything?

I’ve probably forgotten something. If so, leave me a comment.

All in all, Windows 8 is significantly more secure than Windows 7. If AppContainer turns out well it’ll be a huge boon. Even without AppContainer the numerous memory protections added as well as SecureBoot put Windows 8 far ahead of 7 and I’m excited to see Microsoft really taking security seriously. Personally I still feel safer on Ubuntu thanks to being able to do this but it makes Windows feel way more viable and competitive.

Sources:

https://blogs.msdn.com/b/b8/archive/2011/09/15/protecting-you-from-malware.aspx?Redirected=true

https://blogs.msdn.com/b/securitytipstalk/archive/2012/03/27/internet-explorer-10-offers-enhanced-security.aspx?Redirected=true

Microsoft Gives Advice To IT Professionals About Social Engineering

In a new security article on social engineering Microsoft highlights what measures can be taken to both prevent and remediate  socially engineered attacks.

Some key highlights are:

  •  Limit attack surface
  •  Limit user accounts and strictly monitor high privilege accounts
  •  Maintain a proper incidence response team
  •  Risk analysis and weighting
  •  Proper training

You can read the full article for details but I think those are the tips that stand out. The go-to policy for many companies is “enforce periodic password changes, don’t hand out smartphones to just anyone, tell users to be secure.” That’s my (limited) experience at least. This article should prove useful to anyone willing to put the work into maintaining a secure environment.