Latest EMET bypass targets WOW64 Windows subsystem

Discussion in 'other anti-malware software' started by Minimalist, Nov 2, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,043
    https://threatpost.com/latest-emet-bypass-targets-wow64-windows-subsystem
     
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,060
    Location:
    Netherlands
    The reasons I downgraded from 64 bits Vista to 32 bits long ago: it seemed a useless increase of attack surface with so little 64 bits applications available (at that time). Also the disk access was 32bits so system bus was a 32 bits bottleneck also.

    When I ran 32 bits OS I discovered an performance increase of my cheap dual core pentium (maybe because the small secondary cache doubled in capacity by reducing the register size by half?).
     
  3. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    331
    They are doing things way too difficult. For 32-bit processes easier methods for bypassing EMET's anti-ROP mitigations exist.
    Furthermore, I don't know whether EAF+ is actually active in there exploit demo (even though its box is checked). If I look at the default flash exploitation framework of MSF then I do not see any code that allows for an EAF+ bypass.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    As long as your using a x64 browser on a x64 OS, you should be fine.

    The soft spot, the researchers said, is the Windows on Windows, or WoW64, Windows subsystem that allows 32-bit software to run on 64-bit Windows machines. A sizeable sample of Duo customers shows some disturbing numbers in terms of vulnerable users. For example, 80 percent of browsers in the researchers’ sample size were 32-bit processes executing on a 64-bit host running WOW64, putting them all at risk.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,043
    @Windows_Security
    I would gladly downgrade from 64bit to 32bit just to use Windows Defender again. But I just don't want to throw away 12 GB of my RAM :)
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,060
    Location:
    Netherlands
    Have you checked how many times, you post "there are easier ways to exploit/bypass etc ...." (often followed with "not to be discussed here")

    Maybe you should put your money where your mouth is and show the researchers of Duo Security (a bunch of amateurs apparently) how it is done

    :blink:
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,060
    Location:
    Netherlands
    Can understand that, just running a G3240 Pentium with 4GB RAM (of which 3.4 usable. but memory usage never peaks over 1.7 GB as far as I know)
     
  8. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    829
    Location:
    UK
    Maybe a hips company can use this to strengthen their security?
     
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Windows_Security

    See what itman says above. The problem is 32-bit apps on 64-bit Windows.

    Note, browsers and other vulnerable programs should really be 64-bit native binaries where possible. The much larger address space makes some attacks more difficult.

    Edit: @Minimalist

    Why on Earth would you want to use Windows Defender?!:eek:
     
  10. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I'm not Minimalist but why not? It may not be the "best" but is actually pretty decent coupled with an up-to-date system.
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    And the reason I never upgraded to 64-bit in the first place, especially the latter part (so little 64-bit support). The only reason to ever have that much RAM (i.e. 16 GB) is for modern PC gaming. If you're just using your box for normal use it's pointless. You'll never use that much.

    I have a setup that uses 16 GB of RAM just for gaming on Win7 Ult. x64, with a Core i5 CPU. When I go back to using my Inspiron 530 using x86 XP Pro w/ 3.25 (readable) RAM and a Core 2 Duo CPU it blows it out of the water.
     
  12. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I actually found that it's lighter on my Win7 Ult. x86 setup to just disable Windows Defender and use Emsisoft AM. And it's certainly more dependable.
     
  13. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @safeguy My own experience is that Defender generates very large amounts of disk I/O on Windows 7.

    If you do software development, web design, systems administration, etc. it's useful for virtualization. Generally agreed though, most users do not need that much RAM.
     
  14. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Maybe he means Malware Defender? o_O as its only win 32bit capable.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,043
    Yes you're right. I'm sorry for wrong naming. Malware Defender is the one I would really want to use :) Windows Defender - no thanks.
     
  16. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    haha lol. I had a feeling. You have always favored HIPS software :thumb:. I was wondering why a sane person would want to revert to 32 bit just to run Windows Defender lol. :argh:
     
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,060
    Location:
    Netherlands
    (1) Yes, very little 64 bits programs existed when Vista 64 bits was launched. Ridiculous attack surface duplication still exists in latest 64 bits Wndows OS-ses. On 32 bits OS you only have to block a few 16bits backward compatibility programs and your done.

    (2) Do you define vulnarable as internet facing (A) or processing rich content (B)
    ad A: that is do-able on 64 bits
    ad B: wish you luck on corporate installs (office etc mostly 32 bits), see offical M$ advisory

    upload_2015-11-5_8-7-44.png

    I have DEP forced for Office through this registry tweak (and have SEHOP, ASLR, Heap Termination on Corruption and Untrusted fonts protection also enabled)
     
    Last edited: Nov 5, 2015
Loading...