Posts Tagged: Enhanced Mitigation Experience Toolkit


31
May 16

Got $90,000? A Windows 0-Day Could Be Yours

How much would a cybercriminal, nation state or organized crime group pay for blueprints on how to exploit a serious, currently undocumented, unpatched vulnerability in all versions of Microsoft Windows? That price probably depends on the power of the exploit and what the market will bear at the time, but here’s a look at one convincing recent exploit sales thread from the cybercrime underworld where the current asking price for a Windows-wide bug that allegedly defeats all of Microsoft’s current security defenses is USD $90,000.

So-called “zero-day” vulnerabilities are flaws in software and hardware that even the makers of the product in question do not know about. Zero-days can be used by attackers to remotely and completely compromise a target — such as with a zero-day vulnerability in a browser plugin component like Adobe Flash or Oracle’s Java. These flaws are coveted, prized, and in some cases stockpiled by cybercriminals and nation states alike because they enable very stealthy and targeted attacks.

The $90,000 Windows bug that went on sale at the semi-exclusive Russian language cybercrime forum exploit[dot]in earlier this month is in a slightly less serious class of software vulnerability called a “local privilege escalation” (LPE) bug. This type of flaw is always going to be used in tandem with another vulnerability to successfully deliver and run the attacker’s malicious code.

LPE bugs can help amplify the impact of other exploits. One core tenet of security is limiting the rights or privileges of certain programs so that they run with the rights of a normal user — and not under the all-powerful administrator or “system” user accounts that can delete, modify or read any file on the computer. That way, if a security hole is found in one of these programs, that hole can’t be exploited to worm into files and folders that belong only to the administrator of the system.

This is where a privilege escalation bug can come in handy. An attacker may already have a reliable exploit that works remotely — but the trouble is his exploit only succeeds if the current user is running Windows as an administrator. No problem: Chain that remote exploit with a local privilege escalation bug that can bump up the target’s account privileges to that of an admin, and your remote exploit can work its magic without hindrance.

The seller of this supposed zero-day — someone using the nickname “BuggiCorp” — claims his exploit works on every version of Windows from Windows 2000 on up to Microsoft’s flagship Windows 10 operating system. To support his claims, the seller includes two videos of the exploit in action on what appears to be a system that was patched all the way up through this month’s (May 2016) batch of patches from Microsoft (it’s probably no accident that the video was created on May 10, the same day as Patch Tuesday this month).

A second video (above) appears to show the exploit working even though the test machine in the video is running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), a free software framework designed to help block or blunt exploits against known and unknown Windows vulnerabilities and flaws in third-party applications that run on top of Windows.

The sales thread on exploit[dot]in.

The sales thread on exploit[dot]in.

Jeff Jones, a cybersecurity strategist with Microsoft, said the company was aware of the exploit sales thread, but stressed that the claims were still unverified. Asked whether Microsoft would ever consider paying for information about the zero-day vulnerability, Jones pointed to the company’s bug bounty program that rewards security researchers for reporting vulnerabilities. According to Microsoft, the program to date has paid out more than $500,000 in bounties.

Microsoft heavily restricts the types of vulnerabilities that qualify for bounty rewards, but a bug like the one on sale for $90,000 would in fact qualify for a substantial bounty reward. Last summer, Microsoft raised its reward for information about a vulnerability that can fully bypass EMET from $50,000 to $100,000. Incidentally, Microsoft said any researcher with a vulnerability or who has questions can reach out to the Microsoft Security Response Center to learn more about the program and process.

ANALYSIS

It’s interesting that this exploit’s seller could potentially make more money by peddling his find to Microsoft than to the cybercriminal community. Of course, the videos and the whole thing could be a sham, but that’s probably unlikely in this case. For one thing, a scammer seeking to scam other thieves would not insist on using the cybercrime forum’s escrow service to consummate the transaction, as this vendor has. Continue reading →


13
Apr 16

‘Badlock’ Bug Tops Microsoft Patch Batch

Microsoft released fixes on Tuesday to plug critical security holes in Windows and other software. The company issued 13 patches to tackle dozens of vulnerabilities, including a much-hyped “Badlock” file-sharing bug that appears ripe for exploitation. Also, Adobe updated its Flash Player release to address at least two-dozen flaws — in addition to the zero-day vulnerability Adobe patched last week.

Source: badlock.org

Source: badlock.org

The Windows patch that seems to be getting the most attention this month remedies seven vulnerabilities in Samba, a service used to manage file and print services across networks and multiple operating systems. This may sound innocuous enough, but attackers who gain access to private or corporate network could use these flaws to intercept traffic, view or modify user passwords, or shut down critical services.

According to badlock.org, a Web site set up to disseminate information about the widespread nature of the threat that this vulnerability poses, we are likely to see active exploitation of the Samba vulnerabilities soon.

Two of the Microsoft patches address flaws that were disclosed prior to Patch Tuesday. One of them is included in a bundle of fixes for Internet Explorer. A critical update for the Microsoft Graphics Component targets four vulnerabilities, two of which have been detected already in exploits in the wild, according to Chris Goettl at security vendor Shavlik.

Just a reminder: If you use Windows and haven’t yet taken advantage of the Enhanced Mitigation Experience Toolkit, a.k.a. “EMET,” you should definitely consider it. I describe the basic features and benefits of running EMET in this blog post from 2014 (yes, it’s time to revisit EMET in a future post), but the gist of it is that EMET helps block or blunt exploits against known and unknown Windows vulnerabilities and flaws in third-party applications that run on top of Windows. The latest version, v. 5.5, is available hereContinue reading →


12
Aug 14

Adobe, Microsoft Push Critical Security Fixes

Adobe and Microsoft today each independently released security updates to fix critical problems with their products. Adobe issued patches for Adobe Reader/Acrobat, Flash Player and AIR, while Microsoft pushed nine security updates to address at least 37 security holes in Windows and related software.

Microsoft's recommended patch deployment priority for enterprises, Aug. 2014.

Microsoft’s recommended patch deployment priority for enterprises, Aug. 2014.

Two of the nine update bundles Microsoft released today earned the company’s most-dire “critical” label, meaning the vulnerabilities fixed in the updates can be exploited by bad guys or malware without any help from users. A critical update for Internet Explorer accounts for the bulk of flaws addressed this month, including one that was actively being exploited by attackers prior to today, and another that was already publicly disclosed, according to Microsoft.

Other Microsoft products fixed in today’s release include Windows Media Center, One Note, SQL Server and SharePoint. Check out the Technet roundup here and the Microsoft Bulletin Summary Web page at this link.

There are a couple other important changes from Microsoft this month: The company announced that it will soon begin blocking out-of-date ActiveX controls for Internet Explorer users, and that it will support only the most recent versions of the .NET Framework and IE for each supported operating system (.NET is a programming platform required by a great many third-party Windows applications and is therefore broadly installed).

These changes are both worth mentioning because this month’s patch batch also includes Flash fixes (an ActiveX plugin on IE) and another .NET update. I’ve had difficulties installing large Patch Tuesday packages along with .NET updates, so I try to update them separately. To avoid any complications, I would recommend that Windows users install all other available recommended patches except for the .NET bundle; after installing those updates, restart Windows and then install any pending .NET fixes).

Finally, I should note that Microsoft released a major new version (version 5) of its Enhanced Mitigation Experience Toolkit (EMET), a set of tools designed to protect Windows systems even before new and undiscovered threats against the operating system and third-party software are formally addressed by security updates and antimalware software. I’ll have more on EMET 5.0 in an upcoming blog post (my review of EMET 4 is here) but this is a great tool that can definitely help harden Windows systems from attacks. If you already have EMET installed, you’ll want to remove the previous version and reboot before upgrading to 5.0. Continue reading →


21
May 14

Why You Should Ditch Adobe Shockwave

This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it.

shockwaveMy re-education on this topic comes courtesy of Will Dormann, a computer security expert who writes threat advisories for Carnegie Mellon University’s CERT. In a recent post on the release of the latest bundle of security updates for Adobe’s Flash player, Dormann commented that Shockwave actually provides its own version of the Flash runtime, and that the latest Shockwave version released by Adobe has none of the recent Flash fixes.

Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. By my count, Adobe has issued nearly 20 separate security updates for Flash since then, including fixes for several dangerous zero-day vulnerabilities.

“Flash updates can come frequently,  but Shockwave not so much,” Dormann said. “So architecturally,  it’s just flawed to provide its own Flash.”

Dormann said he initially alerted the public to this gaping security hole in 2012 via this advisory, but that he first told Adobe about this lackluster update process back in 2010. Continue reading →


27
Apr 14

Microsoft Warns of Attacks on IE Zero-Day

Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site.

In an alert posted on Saturday, Microsoft said it is aware of  “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.

Microsoft’s security advisory credits security firm FireEye with discovering the attack. In its own advisory, FireEye says the exploit currently is targeting IE9 through IE11 (although the weakness also is present in all earlier versions of IE going back to IE6), and that it leverages a well-known Flash exploitation technique to bypass security protections on Windows.

ie0daymitigationMicrosoft has not yet issued a stopgap “Fix-It” solution for this vulnerability. For now, it is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help beef up security on Windows. Microsoft notes that EMET 3.0 doesn’t mitigate this attack, and that affected users should instead rely on EMET 4.1. I’ve reviewed the basics of EMET here. The latest versions of EMET are available here.

According to information shared by FireEye, the exploit also can be blocked by running Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings as shown in the graphic above.

This is the first of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users. Microsoft last month shipped its final set of updates for XP. Unfortunately, many of the exploit mitigation techniques that EMET brings do not work in XP.


11
Mar 14

Adobe, Microsoft Push Security Updates

Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late.

crackedwinMicrosoft’s five bulletins address 23 distinct security weaknesses in Microsoft Windows, Internet Explorer and Silverlight. The Internet Explorer patch is rated critical for virtually all supported versions of IE, and plugs at least 18 security holes, including a severe weakness in IE 9 and 10 that is already being exploited in targeted attacks.

Microsoft notes that the exploits targeting the IE bug seen so far appear to perform a check for the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET); according to Microsoft, the exploits fail to proceed if EMET is detected. I’ve recommended EMET on several occasions, and would encourage any Windows users who haven’t yet deployed this tool to spend a few minutes reading this post and consider taking advantage of it to further harden their systems. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform. For those of you who don’t mind beta-testing software, Microsoft has released a preview version of the next generation of EMET — EMET 5.0 Technical Preview.

This month’s updates include a fix for another dangerous bug — deep within the operating system on just about every major version of Windows  — that also was publicly disclosed prior to today’s patches. Microsoft’s Technet Blog has more details on these and other bulletins released today.

Continue reading →


18
Jun 13

Windows Security 101: EMET 4.0

Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool.

EMET's main window.

The main window of EMET 4.0

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its “Structured Exception Handler Overwrite Protection,” or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.  

One of the much-hyped new capabilities of EMET 4.0 is its “certificate trust” feature, which is designed to block so-called “man-in-the-middle” attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

Continue reading →


6
May 13

Zero-Day Exploit Published for IE8

Security experts are warning that a newly discovered vulnerability in Internet Explorer 8 is being actively exploited to break into Microsoft Windows systems. Complicating matters further, computer code that can be used to reliably exploit the flaw is now publicly available online.

IEwarningIn an advisory released May 3, Microsoft said it was investigating reports of a vulnerability in IE8, and that it was aware of attacks that attempt to exploit this bug. The company stresses that other versions of IE — including IE6, 7, 9 and 10 are not affected by the vulnerability. However, all versions of IE8 are vulnerable, including copies running on Windows XP, Vista and Windows 7.

Meanwhile, a new module that exploits this IE8 bug is now available for the Metasploit Framework, a free penetration testing tool. I would expect this exploit or some version of it will soon be rolled into commercial exploit kits that are sold in the cybercrime underground (assuming this has not already happened).

Update, May 9, 9:00 a.m. ET: Microsoft has released a fix-it tool to blunt attacks on this bug. See this story for more information.

Original post:

The security hole has already been leveraged in at least one high-profile attack. Over the weekend, several security vendors reported that the U.S. Department of Labor Web site had been hacked and seeded with code designed to exploit the flaw and download malicious software.

The attack on the Labor Department site is seen as a watering hole attack, which involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate. Previous watering hole attacks have targeted the Web site for the Council on Foreign Relations, the Association of Southeast Asian Nations, and the National Democratic Institute.

According to CrowdStrike, the server used to control this latest attack on the Labor Department site was microsoftupdate.ns1.name. The company said analysis of the logs from the attacker’s infrastructure revealed that visitors from 37 different countries browsed the site during the time it was compromised with the malicious code. AlienVault, Invincea and Cisco Systems have published additional details on this attack. AlienVault also said it has since spotted the same exploit used on at least nine other hacked Web sites, including several non-profit groups and a large European company.

Continue reading →


18
Sep 12

Internet Explorer Users: Please Read This

Microsoft is urging Windows users who browse the Web with Internet Explorer to use a free tool called EMET to block attacks against a newly-discovered and unpatched critical security hole in IE versions 7, 8 and 9. But some experts say that advice falls short, and that users can better protect themselves by surfing with an alternative browser until Microsoft issues a proper patch for the vulnerability.

The application page of EMET.

EMET, short for the Enhanced Mitigation Experience Toolkit, is a tool that can help Windows users beef up the security of commonly used applications, whether they are made by a third-party vendor or by Microsoft. EMET allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

Before I get into the how-tos on EMET, a few caveats. EMET is a great layer of security that Windows users can and should use to enhance the security of applications. But EMET may not block the exploit code now publicly available through the Metasploit framework. In fact, Tod Beardlsey, an engineering manager with Rapid7, the security firm that manages Metasploit, told The Associated Press that EMET does not appear to be completely effective against this exploit.

I asked Metasploit founder HD Moore what he thought was the best way to block this exploit, and he pointed out that the exploit available through Metasploit requires the presence of Java on the host machine in order to execute properly on IE 8/9 on Windows 7 and Vista systems (the exploit works fine without Java against IE7 on XP/Vista and IE8 on XP). Obviously, while the lack of Java on a Windows machine may not prevent other exploits against this flaw, it is a great first start. I have consistently urged computer users of all stripes to uninstall Java if they have no specific use for it.

Continue reading →