Malwarebytes Anti-Exploit

You are using XP and outdated Internet Explorer and without updates. This also suggests that you are using outdated Java because the the java which was being exploited is before JRE 7 build 23 or 26. You are using outdated EMET and the guys at bromium who you gave no credit for finding have made it clear that EMET 5 will be launched this week which will fix this issue. The bypass was targeted by professional white hats and where as your software was bypassed within weeks of launch. I think you should not try to make look like you are better than EMET when both the products are different.

 

@ ZeroVulnLabs

Thanks for replying on this, so basically you're saying that the comparison isn't entirely correct?

I must say that I really hope the GUI will become better and that you will add extra protection.

Btw, at the moment IE 11 crashes on my Win 8.1 64 bit system when MBAE is enabled.

 

"Related" news (take it for whatever it's worth)... I'm mentioning it here, since many of us are trying to use EMET in conjunction with MBAE.

EMET 5.0 Tech Preview has been released: http://blogs.technet.com/b/msrc/arc...ience-toolkit-emet-5-0-technical-preview.aspx

EMET 5.0 Tech Preview release includes new functionality and updates, such as:
- Attack Surface Reduction.
- EAF+.
- Enable the “Deep Hooks” mitigation setting by default.
- Addressed several application-compatibility enhancements.


Note: EMET 5.0 Tech Preview requires .NET Framework 4;
and in order to protect Internet Explorer 10 on Windows 8 you need to install KB2790907 – a mandatory AppCompat update that has been released on March 12th.


Download http://www.microsoft.com/en-us/download/details.aspx?id=41963

 

Only that MBAE has not been launched yet, right now there is a beta and an alpha version being tested. So, if someone bypassed the first public beta that was made available (I guess that's the version you are mentioning here), they were bypassing just a limited program, compared to what it is right now.

By the way, congratulation for your ability to detect outdated software in other people's machines on the other side of the world, I reckon that your second name must be Secunia.

 

You mean outdated as in like the vast majority of non-techie users out there?

I don't know if you actually read my post above, but was talking about EMET not being appropriate protection for Java and other sandbox escapes. That screenshot was taken last week using the latest EMET 4.1. Once the EMET memory protections are bypassed it's game over. MBAE, in addition to memory protections, also includes a layer of application behavior protections which protect against stuff that does/might bypass EMET.

You mean version 0.07 of ExploitShield? We're now at 0.10 and things have changed quite a bit since then. Give it a try and pit both EMET and MBAE against your typical exploit kits which are circulating in the wild and let me know your results.

You are either omitting information or mis-quoting me. I've always been a very positive proponent of EMET as it's a great software. But the techniques we use in MBAE are different and in some cases more proactive and generic in nature. In fact if you were listening you'd see that we've always said that having both EMET and MBAE is better than having either or the other.

 

I am skeptical about MBAE because no one has till now made a recommendation that it works. The ones like Fire eye or bromium and others who expose so many exploits. They all recommend EMET.

 

MBAE, in addition to the memory protections similar to those found in EMET (and some not found in EMET) also has a different layer of application behavior protection which has been proven time and again in stopping memory protection bypasses and sandbox escapes as in the typical Java exploits found ITW which bypass even EMET 4.1 (haven't looked at the default install of EMET 5.0 yet). In this particular scenario it would likely prevent the payload from running after all the memory protections have been bypassed.

But as others have said above, MBAE is still beta and we continue developing, adding new techniques every new beta version that is released and we have bigger plans for it in the near future which prevent the limitations inherent in userland protections. Due that we don't have time to spend on researching bypasses for EMET and other popular applications, but once we get closer to release I hope we'll be able to dedicate some resources to that as well.

 

I have no doubt that it can protect from 0-day. I think users will get assurance when it can survive targeted attacks. The recent example where Flash in IE8 was being targeted avoided system with EMET is a good indication that EMET is making it tough for hackers. If MBAE can survive targeted attacks then it will be nice.

 

In my book that actually counts as a negative. If the attacker can remotely fingerprint what type of exploit mitigation is installed on the target it means they can deliver a custom exploit to bypass it and/or skip the system and attack other corporate systems, thereby keeping their attack stealthier and more undetected as opposed to if all systems where attacked similarly without previous knowledge of the endpoint defenses.

 

Quite a bit unfair, dont' you think? Use a modern OS and enable per process mitigation for java files ;-)

 

Well, this is about protecting people, not about winnig the anti-exploit Olympics in a fair competition. XP is still the second most used OS, many professionals (audio, video, businesses,etc.) simply don't want to change or replace a working system. That's my case, for example.

 

That particular Java exploit would have bypassed EMET in a modern OS as well. It was tested with EMET 4.1 with the default install, which does come with enabled mitigation for java processes.

But that's all non-important now since EMET 5.0 is here and looks very promising.

 

A bit strange that process explorer shows java.exe running but EMET GUI shows it not under running processes on your screen.

But your are right, not important after all: old Emet, old IE, old OS...

 

It was a default install so all java mitigations were in place. Maybe a took the screenshot before the EMET GUI refreshed its green icon.

 

That's what it was... just got it to bypass emet 4.1 again and hit the refresh and now it shows it.

 

It's ok and I believe you. But irrelevant after all as you stated. There is IMO no need to try to prove anything good or bad for EMET under the following conditions:
- old OS, where most features of EMET just don't work
- default settings, cause EMET is no install and forget solution
- VMs can be critical

If you say this exoloit bypassed (which is a unclear expression at all for that kind of software) EMET even on actual OS version, that is an issue to report. But than your first action should have been to show THIS.

But it's ok for now. This thread is about your software, for which I wish you good luck

 

I don't quite agree. The number of people who have the latest OS completely up-to-date with all updates and patches for all their third-party apps are the in low percentiles. There was a stat circulating around last week that said around 20% of the world is still on XP.

 

Pedro,
Got the following error when opening IE 11. I have received this error before.
Running MBAE 09.5.1000, NOD32 7.0.302.26, Firefox 27.0.1.
Windows 7 32 bit

 

Hello Thankful,

That is a known bug that has been fixed in the 0.10.0.0300 preview build. See this thread over at MBAM forums: https://forums.malwarebytes.org/index.php?showtopic=143087
You may wish to update to that build as it is very stable (IMHO more stable than the 09.5 series.

 

@puff-m-d,
I picked up the new version.
Thank you for your help.

 

Hello Thankful,

No problem as you are most welcome ...

 

http://translate.googleusercontent....ot.jp/&usg=ALkJrhjuRc3WmqN01QfKF0FuKH_EL0SSMQ

Can someone check if MBAE or EMET stops this exploit?

 

There's too many versions of MBAE floating around. Put the most current version on the malwarebytes website.
Showing 8 blocked exploit attempts which is not correct with version 0.10.0.0300. Hard to know where to look for known issues with so many versions floating around.

 

There's a couple of 0.10 builds in the forum to help us detect things like the one you reported before we publish the final 0.10.0.1000 build for everyone, which will most likely happen next week.

 

Regarding Adobe Flash as used by browsers - is MBAE currently supposed to offer protection against Flash exploits and if not is it planned to protect once the regular version is out?

Also does MBAE protect Chrome and Firefox variants as well by default if they are installed on the computer?

Thank you and best regards on your efforts