EMET (Enhanced Mitigation Experience Toolkit)

Thanks 142395. I posted to HTTPSB thread before I saw your post. I hope it is no more sinister and only what you told. I am always paranoid these days, for reasons I rather not speak more about

rm22: If you import the profile Popular Software, you will have settings for Skype too. It has EAF already disabled. I have not tested Skype as I seldom use it and consider it may be even a security risk.

 

It does not matter that you don't use MBAE, the point is that only certain apps that are known to be targeted should be protected. The only way to exploit KeePass is to trick you into opening a booby-trapped password database file. But why would you open anything else than your own password database?

 

Microsoft EMET - Armor Against Zero-Days Bypassed Again
New methods make it possible to circumvent protection mechanisms of Microsoft EMET 5.0
http://www.prnewswire.com/news-rele...ainst-zero-days-bypassed-again-280655272.html

Spoiler: Article + POC YouTube Video

The EMET (Enhanced Mitigation Experience Toolkit) tool developed by Microsoft (NASDAQ: MSFT) makes it possible for administrators and end users to retroactively equip applications with additional protection mechanisms. This enhanced protection is intended to prevent various attack techniques that are currently used by cyber attackers.

Security expert René Freingruber of the SEC Consult Vulnerability Lab has developed numerous methods to get around the basic protection mechanisms of EMET in all currently available versions [1]. If a cyber attacker were to use these new bypass methods, serious attacks could be carried out. A software product protected with EMET as a workaround affected by a critical zero-day vulnerability could, for example, fall under the control of attackers.

Microsoft was informed of this by SEC Consult and is working on an improvement to the protection methods.

The experts of the SEC Consult Vulnerability Lab advise you to not view EMET as an unbeatable protection measure, because the tool can definitely be bypassed with the help of newly discovered methods.

SEC Consult considers it as necessary for software manufacturers to make the development of applications more secure and to regularly test their software extensively for application security.

[1] SEC Consult Proof of Concept Video: http://youtu.be/TuBQnvnKKHY

 

There're other ways to exploit KeePass as I illustrated in #766, though I haven't used Windows version of KeePass so don't know whether it performs online update.

@WildByDsign
Thank you for the valuable info!
I hope MS takes it seriously and it's very good 3rd party researcher examine EMET and report it weakness, which is an advantage that MBAE and HMPA currently don't have.

 

thanks for the feedback guys. when i install emet 5 again i'll try with hardened mode off in Avast & hips disabled in OA and see if that fixes things.

thanks for the reply - good, this is what i had done - added skype.exe and then lauched it to test & noticed skypebrowserhost.exe was running, but not protected by emet. i quit skype added skypebrowserhost to emet and relaunched, but after many launches skypebrowserhost.exe is not running - so i deleted the rule for it in emet - still isn't running.... so who knows if it worked or not!

the updater runs as a service so i can't check it on the process list...

 

What you described is not related to "memory corruption" exploits. Most of the time, "memory corruption" can only be achieved by making a targeted app open a booby-trapped file. That's why browsers, document readers and media players are mostly targeted.

 

Why not?
Actually many local exploits involves memory corruption.
Or maybe you missed the point.
When there's a malware on the system, it can modify user files.
So let's assume the malware modified keepass' database file, ah, I know it is encrypted so maybe it's header, w/out affecting its function.
(I don't know much about how exactly keepass work so can well be wrong, but keepass is just an example. What matters is whether adding remotely-un-exploitable apps to EMET protection makes a sense, regardless how much―I again say, it's little or can be said as neglectable, but still does.)

Then when user opened the modified file (or if it's already established remotely do that) it cause memory corruption.
I don't think exploiting keepass brings priviledge escallation unless it registers & uses service, but since it contain many sensitive info, still might be worth doing.
Attacker may get all sensitive info w/out waiting user inputs all of them (I suppose keylogging is useless if user use keepass so that malware can't get sensitive info by that. Well though there're other way such as dll injection).

Of course we'll never see such an attack.
Simply it's too complicated for just a common attack, and for novices usually tricking them works very well.
But as long as adding those apps to EMET doesn't cause conflicts or performance issue, it's just his choice.
What one consider is threat varies by each person, the one might looks at ITW threat, the other theoretical but possible threat.

Maybe I don't need to explain about exploit through malicious update, but honestly I can't see much benefit for this compared to just sends malware version of the app.

 

That's exactly my point. I don't know why you even bother to come up with these "exotic attack" scenarios. Of course people can apply "exploit mitigations" to every single app, I'm just saying that it does not make a whole lot of sense.

 

Because it's my liking! lol
But actually such paranoid proactive approach might makes a little sense for some people (maybe 1 per 100,000,000 lol), as targeted attacks not only targets corporate user or VIPs.
Recently criminals are shifting toward subordinates, secretaries, or other related people rather than executive or VIP itself.
This is why Eugene Kaspersky says this:

http://blog.kaspersky.com/introducing-zeta-your-protection-from-advanced-attacks/
I also know one case that who happend to have valuable Twitter account was targeted, though in this case malware was not used instead highly sophisticated social engineering was used.

Note, post-infection security is also important recently, though it is separate story from how much EMET is good for that purpose.
If it's not important, why people care about BEAST, CRIME and POODLE attack?
Those attack only occur when attacker already intruded successfully.

 

What are the EAF+ and ASR moudles one should add in EMET for Chrome.

 

Well, I've already made my point, there's no sense into protecting apps like KeePass against exploits. And that ZETA thing looks nice, but EMET is designed to stop the same attacks.

 

There are none reported in the EMET manual or Protection Profiles. Although I am curious if anyone adds anything there or not for Chrome as well.

 

Is Emet 5.0 incompatible with Comodo Firewall v7?
Emet was working beautifully alongside Online Armor Firewall in protecting my browsers(Chrome, Internet Explorer)
But when I installed Comodo Firewall, the Browsers were locked by Emet and they refused to start up.

 

Maybe java component if you have java, like this:
npjp*.dll;npdeploytk.dll;npdeployJava*.dll;npoji*.dll;npt.dll

I've not looked into Chrome modules so can't help much, but you can add modules unneeded and/or exploited in the past.
FYI I added those for AcroRd32.exe
ExtendScript.dll;rt3d.dll;ScCore.dll;A3DUtils.dll;NPSWF32.dll;Acrofx32.dll;authplay.dll

 

You can say little, but can't say no.
I'll never be targeted and maybe you too, but that can't be applied to everyone.
In targeted attack, it's very common that attacker, once intruded, try local exploit.

ZETA Shield is an advanced scanner designed to detect highly disguised threat often concealed in a document, while EMET is for raise hurdle for exploit to succeed.

IMO it's great advance Kaspersky added that to consumer world as major AV can detect only about 20% of document threat used in targeted attack, according to 2 papers.
I'm currently not using Kaspersky so instead using OfficeMalScanner.

 

FYI though he says 'antivirus'.
https://social.technet.microsoft.co...emet-5-and-comodo-av-compatibility?forum=emet

 

CIS + EMET 5.0 (and 4.0+ as well) get along nicely on my office PC, but the same combo starts dragging my other PC after a while.

 

I Emetted 5 also TinyWall.exe. I notice no disfunction by that and perhaps also as expected as it controls Windows firewall and has no hips. It might be not much of exploit subject though I have disabled TW itself to connect to internet. That connection is used I think for updating mvps host file and also for the program updates. I am not using them. Also my wireless mouse program works just fine emetted.

Has anyone given Sandboxie processes or AppGuard EMET rules? I suspect it would not be so good especially with Sandboxie's case, so I am not willing to try myself without some advice that it is ok to do.

 

Interesting input thanks. But I don't use third-party security software such as firewalls, AV, HIPS etc. That makes is double weird to me. ^^

 

That ZETA thing is nice, because it scans documents before you open them, which is cool, but anti-exploit apps should also be able to stop the attack. About the "does it make sense to protect every app" discussion, read this:

http://www.howtogeek.com/191230/6-advanced-tips-for-securing-the-applications-on-your-pc-with-emet/

From the article:

"You’ll probably want to lock down specific applications instead of your entire system. Focus on the applications most likely to be compromised. This means web browsers, browser plug-ins, chat programs, and any other software that communicates with the Internet or opens downloaded files. Low-level system services and applications that run offline without opening any downloaded files are less at risk. If you have some important business application — perhaps one that access the Internet — it may be the application you want to secure the most."

 

Anti-exploit may stop them, or may not.
In APT scenario you should keep an assumption that those AE will be bypassed.
And since those 2 technology works in different level, there's no reason for not combining them, but one problem is currently only Kaspersky gives such function for home user and OfficeMalScanner, PDF examiner, etc. are not so user-friendly.

That writer of course doesn't take into account such an advanced attack I mentioned. I even don't trust Howtogeek much as they showed their lack of knowledge in some aspects when they claimed "avast is spying on you".
But that's off topic and even MS itself recommends adding only most frequently exploited application.

So I enphasized "if it doesn't cause conflicts or performance issue", but I had to add one more: it only makes sense if there's no other more easily exploitable point.

Basically EMET itself is not for post-infection security so what I mentioned makes a little sense only when it is combined with other good measure to make intrusion post-infection activity harder.

I don't know how native-English use the word 'no sense' but if it means '0 sense', then I just wanted to say there's a undeniable border btwn 0 and 0.00000...00001. If not, sorry it's my bad (lack of English experience).

[EDIT:]
Replaced 'intrusion' by 'post-infection activity' to avoid being taken as initial intrusion

 

With no sense I mean: you have to look how likely it's for some app to get targeted. For example, password managers and desktop search tools are no target, because it would be hard to exploit them from "remote". Of course it's true that in theory, every app can be exploited.

 

Those are SSL/TLS attacks and are aimed at your traffic, no intrusion is necessary.

 

No, to perform e.g. BEAST, attacker have to be able to send any character he want from victim machine.
It is only possible e.g. when attacker already intruded by code-execution vulnerability.

 

Then, I think we don't have conflict about this.