EMET (Enhanced Mitigation Experience Toolkit)

Yeah, I read that yesterday before it posted my reply. From it, I decided that FF users are adequately protected w/o EMET but up to each one to decide for themselves. Also if I were trying to exploit it, my target would be the plug-in container since that is where the browser interface is.

Below are excerpts from it. Note: If your still running XP, you probably should protect FlashPlayerPlugin_*.exe under EMET:

The first process under the Firefox instance is called “plugin-container.exe.” Firefox has run plugins in this separate process for quite some time, and we did not want to re-architect that implementation. With this design, the plugin container itself is only a thin shim that allows us to proxy NPAPI requests to the browser. We also use this process as our launching point for creating the broker process. Forking the broker as a separate process allows us to be independent of the browser and gives us the freedom to restrict the broker process in the future. From the broker process, we will launch the fully sandboxed process. The sandboxed process has significant restrictions applied to it. It is within the sandbox process that the Flash Player engine consumes and renders Web content.

The restrictions we apply to this sandboxed process come from the Windows OS. Windows Vista and Windows 7 provide the tools necessary to properly sandbox a process. For the Adobe Reader and Acrobat sandbox implementation introduced in 2010, Adobe spent significant engineering effort trying to approximate those same controls on Windows XP. Today, with Windows 8 just around the corner and Windows XP usage rapidly decreasing, it did not make sense for the Flash Player team to make that same engineering investment for Windows XP. Therefore, we’ve focused on making Protected Mode for Firefox available on Windows Vista and later.

For those operating systems, we take advantage of three major classes of controls:

The first control is that we run the sandboxed process at low integrity.

The second class of controls applied to the sandboxed process is to restrict the capabilities of the access token.

The third control applied to the sandboxed process are job restrictions.

More information on job limits, privilege restrictions and UIPI can be found in Part 2 of Inside Adobe Reader Protected Mode.

Once you get past OS-provided controls, the next layer of defense is Flash Player broker controls.

 

True, but Fireox's Flash Sandbox is not that good:
http://www.insanitybit.com/2012/08/...aring-ppapi-flash-to-firefox-flash-sandbox-8/
Also, I don't have a link, but I remember reading recently that most 0 day flash exploits in the past could bypass Firefox's Flash Sandbox.

Good idea.

 

Yep. Looks like their have been a few including that nasty one last Feb..

So I guess we will have to wait for Kafeine or someone like him to test Firefox with the plug-in protected under EMET. I know from his blog, he did test IE using the Feb. exploit and EMET stopped it dead in it's tracks using default EMET iexplore.exe protections. Maybe people better off dumping FireFox for Chrome or IE.

 

Note that today EMET 5.2 was re-issued and current download of EMET seems to fix problems some had with IE 11 on Windows 8.1. No documentation for the change appears on http://blogs.technet.com/b/srd/archive/2015/03/12/emet-5-2-is-available.aspx site and no new version number has been given. Only states 5.2 has been re-issued.

 

Maybe. But before the end of the year, Firefox is expected to utilize Chromium's sandbox. Quite literally, I believe, as they are using Chromium's sandbox source code from my understanding. I haven't used Firefox for a few years though, but it should be more secure once that is implemented.

 

The differences between the initial release and today's release is nothing in regarding the files it extracts. The EMET installer has changed, but none of the files are different. Therefore it seems the only thing changed is what it does upon installing.

 

The initial 5.2 release reportedly caused crashes with IE 11, now the re-issued 5.2 release reportedly causes crashes with Chrome. The blog doesn't show any real details for the re-issued release.

5.2.5546.19547 is the version number displayed in the GUI - About for the initial release. It is working great for me and I am hesitant to install re-issued release.

Can someone running re-issued release confirm version number? The re-issued .msi shows an updated digital signature, but no version number.

EDIT: Thank you, Phant0m. Sorry, I didn't see your post until after I finished mine.

 

From EMET 5.2 is available (update):

 

IE under SBIE is protected by EMET whereas Firefox under SBIE is not protected? Is this just me or that's how it is ?

 

maybe i'm just unlucky but i'm unable to download 5.2update ...

 

It's a known issue. The solution is to force FF to start sandboxed, or launch FF through cmd or explorer. Example:

"C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files\Mozilla Firefox\firefox.exe"

If you get a slow FF start it's because of the EAF+ module xul.dll for firefox.exe in EMET. You can remove it if you want but I believe the EMET developers have put if there for a good reason

 

@Cutting_Edgetech Don't know if you saw this post a few months ago? Your EMET problems sound a lot like the ones I once had. But when I excluded the conflicting apps from real-time scanning in my AV(F-Secure) EMET started working perfectly. Now I don't have to disable any mitigations at all in EMET, as it should be

 

It would be a very bad ideal to exclude those applications from AV scanning. That would be like opening the door, and inviting the bad guys to come in.

 

Just installed Eset SS 8 yesterday with EMET installed and running at time of installation. No conflicts with Eset SS and EMET to date.

What was very interesting is how Eset installer shutdown EMET during the installation. As mentioned previously, it does bother me that EMET has no self-protection against disabling it.

 

Thank you. I don't have any startup issue with FF. Infact its much quicker now than it was with MBAE.

 

Latest version of 5.2 on W7x64. IE 11 will not work properly until EAF is disabled, then fine. Firefox 36.0.1 has a 20 second startup unless EAF+ is unchecked, I left it checked and live with the slow startup, it runs perfectly after. Flash added as a separate entry with no problems. Both browsers in forced sandboxie boxes.

 

is there someone that successfully downloaded u2?
The links, infact, appear broken...

 

Yes. I was confused as there is no version increment on the file, just 5.2. The digital signatures have changed however, one is March 11, the other March 16.

 

ok, then i'm unlucky!

Edit ---------------------
problem solved

 

Did you use and do this?
http://blogs.technet.com/b/srd/archive/2015/03/12/emet-5-2-is-available.aspx
-> http://aka.ms/emet52
--> https://www.microsoft.com/en-us/download/details.aspx?id=46366
---> click Download\ check EMET 5.2 Setup.msi\ click Next
----> Now you get a pop-up that you need to allow. N.B. Did you allow the pop-up?
-----> Now the download should be offered.

Edit:

Oh. Good.

 

ehm, it was the culprit


No problem to report so far with this build (5.2u2, 8.1)

 

As I previously posted in this topic, post #1056. The differences between the initial 5.2 – March 11th release and March 16th release is nothing in regards to the files it extracts. The EMET installer has changed yes, however none of the files it extracts ........ are different. Therefore it seems the only thing changed is what it does upon installing (... like maybe to the registry.)


It would be more like 5.2 Update 1 (5.2u1), or more of a revised edition (5.2r1).



Updated: The manual extraction process kept leaving out the EMET SHIM modules.
MSIEXEC /a "EMET 5.2 Setup_[16-03-15].msi" /qb TARGETDIR="C:\EMET 5.2 Setup_[16-03-15]\"

Curious.

---
Regards to EMET64.dll
023a0c9cb36d32ee0a14137d9efd3154 v5.2.0.1 (March 16th)
6567cc4b26674bb028db3ef3a75c19e7 v5.2.0.0 (March 11th)

 

I went over to Microsoft today, and created myself a Microsoft Connect account so I could report bugs for EMET. I would recommend anyone else that likes to use EMET to do the same so you can help improve the quality of EMET. I'm sure some of you already have accounts from testing EMET, and Microsoft OS's. You can create an account at hxxps://connect.microsoft.com/

 

Yup, I have and recommend too. Apparently MS have priority about bug fix or feature request, and minor application are not much cared. But if many ppl requested it, they may consider.

 

I tried with Firefox, and could not download it. I had to use Internet Explorer.