Mitigation techs available on XP

Yes, of course. And I'm saying if that app opts in to DEP with SetProcessDEPPolicy (IE 8, Firefox, Chrome, ...) then it can't be disabled. You didn't specify HOW DEP was being opted into on XP.

OK!

All right, but that ROP isn't necessarily disabling DEP if it can't be disabled, obviously. So... ROP kicks off other stuff that then has to "work around" DEP that can't be disabled, I guess? So yeah, in that case, I can see how it would be a lot easier if all memory was executable. Although, if the exploit can allocate its own memory (or even call VirtualProtect on anything), then it can make anything executable without disabling DEP... Hmm.

 

Although not one to get into semantics, that graphics shot I posted shows >98% of exploits failed against an EMET-protected XP installation

 

Reason for Editing: Concealing all evidence of my temporary insanity.

 

Yes, 98% is more like it, I was just posting what Hungry said.

And what in the world are you talking about?! "OS Elitist?" Can you read, like my signature? Where have I said anything about another OS anyway?

I'm wanting to stick with XP for as long as I can just like you! (I don't like 7 for different reasons, and certainly not 8! I'd try to make things as close as possible to XP. Another DLL I'd like to make would be to restore some XP SRP functionality, but I'm not sure it'll work. Plus, I hardly know what I'm doing. ) Since I'm not trying to play any new games that need newer than XP or anything. Just kinda wish I had real ASLR. After updates end next year, I'm not sure how long I'll stay on it though, because I'm concerned about kernel vulnerabilities, privilege elevation, etc. And you can be sure any would be hammered by exploits once the bad guys know there's no fix if there's still a large XP install base.


Anyway, I'm just pointing out the facts, or trying to help, etc. It is NOT a different way of accomplishing the same result! That couldn't be further from the truth. One either has DEP, or they don't. You don't, period (if you don't have hardware support). You're just fooling yourself if you think plain SafeSEH offers much real protection.

Did you try the DEP Test program I posted in the other thread to verify...? Why isn't your pseudo-DEP "owning" that? Didn't you see what me and Hungry Man were posting about bypassing/disabling DEP? That's exactly what that test does!

I was going to ask which processor or motherboard you had, and see what the best bang-for-your-buck CPU you could get cheap for your board's socket that DOES support hardware DEP.


Oh, just saw your edit. Woah, chill out dude! I don't know what's up with you? BTW, I don't think any AMD CPU has the same socket as a Core Duo. So I was going to offer to check what the best is you could get, or if you felt comfortable changing it yourself (is it a pre-built system?) or if you knew someone else that could do it quick for no cost, etc. But, anyway...



BTW, this is bad I guess, but I've never installed a single .NET Framework update yet! I don't know if I use anything where it could be accessed or exploited though? (Firefox? I have IE 6, which can't use it like IE 8 AFAIK.) I just haven't had a chance to look over its updates and choose which ones I need (it is kinda confusing, and I'm not used to it). But again, I don't have any concerns about its security...

OH, and also, lucid, I was going to look into another thing for ya. Once you have the EMET DLL (doesn't need .NET FW as you know), I thought there MAY be another way that it could be loaded into processes without NEMET, but I haven't looked into how it works enough. I thought while playing with custom DLLs I might be able to come up with some other EMET alternative for people like you. Although probably won't work the way I hoped...

 

I used to say the same thing about XP but my machine just had more mechanical problems that cost more than buying a new computer. My new one had Windows 7 and after a couple of days, I realized how wrong I was about updating the OS. One day most of your XP programs and software will stop working---just ask someone that is still trying to run Windows 95.

 

I apologize to everyone that had to endure my rant to whom the shoe didn't fit... you know if it does or not. That was something that was building for awhile, and was unfair to focus it on a couple people in this thread.

It just seems that anytime anyone brings up anything pro-XP, some people feel the need to lick the red off their lollypops. I mean just look at that old thread about NEMET once, started by the dev. Half of it was trashing people for still being on XP, instead of pertinent information about the app. One guy was still on SP2 even (oh, the horror)... and he really got tarred and feathered. And it's just irritating to see that. And I knew it was inevitable that I'd get that vibe in this thread too, and I guess I just hit my boiling point. And the wrong person... someone that had absolutely nothing to do with that, bore the brunt of it. That was wrong...

When people ask for info. pertaining to XP, telling them to upgrade their OS not only doesn't help, but comes across as pompous. I think it's good advice to the average user, with an average setup, but for us hardcore folk we can make the OS quite safe with the right tweaks & software. Very safe in fact. In my 8 years using it last week was the first time I've even seen malware, and my much maligned software DEP turned it back. That man running SP2 who was attacked (not by malware, but Wilders members), has yet to be compromised either. So he, and his OS, must be doing something right. Just let him live... Re-reading that thread again I think is large part had me on edge already. And make me blow some of the stuff in this thread out of proportion.

And FWIW, what a difference a day makes... I'm sitting here with a new (old) box, lol. My friend had an old Inspiron sitting around for awhile now, offline, using it just to watch movies, hooked up to his TV, with a 1 TB HD to keep all his movies on. I told him my PC could do that for him just as well if we just swapped HD's... and that I'd make the difference up to him, whatever he thought was fair. He just told me if he asks me for a favor some time, not to forget the gesture. So I now have hardware DEP and 4 GB of RAM... and XP seems a hair faster, but not much, and that may be a placebo. After seeing first hand how useful DEP can be combined with SBIE against an exploit, I decided to get the "real" deal. If I'm gonna do this, add these mitigation techs... well anything worth doing is worth doing right.

 

Exploits can be mitigated on most any OS' including the older ones, especially XP because the means to do so with 3rd party security are still available, as well as with what's built-in, and XP still supports most production software that people need such as web browsers and office suites. It will no doubt become increasingly difficult to achieve and especially not worth the time and effort well after, probably several years, XP is no longer supported by both MS and software developers, but until then I believe it's still possible to run it securely and productively unless I personally see evidence of it falling to an exploit.

 

Well when that day comes I will certainly upgrade. But as it stands here and now, the opposite is true. There are some things I'd no longer be able to use on 7 that I do on XP... and several more that especially wouldn't work on the 64-bit versions.

 

Yeah. The thing is too that it's not being targeted nearly as much since it's near it's EOL. Add to that an attack surface you can make the size of a pea with hardening, and 3'rd party software support, and I think the argument can certainly be made that it's the most secure Windows OS to date.

But that's only for OCD geeks like us. For John & Jane Q average end user, it's definitely prudent to upgrade to Windows 8 (forget 7 even). I don't advocate my approach to anyone else. Perhaps that's what causes an impasse here to some degree. I should perhaps make a disclaimer: "Warning... I'm OCD & a nostalgic old fart that things everything was better in their time. Don't follow my example... just upgrade ur frickin OS and run as a Standard user. It'll save you making these 1001 tweaks I have to make to have XP not leaking from every pore." err, something like that.

I seriously look at what I wrote now and feel like a douche, if I'm allowed to say that in here.

I appreciate your help wat. That stat you provided especially sold me. And I think illustrates just how useful (hardware) DEP, even alone is, when opt out or always on. Nothing else can really explain the difference, because was HungryMan said, I've read also, that those other app mitigation techs aren't pretty trivial on their own. Only when combined with DEP are they worth much. And I get the feeling the same can be said about all of them. I read that SEHOP isn't worth much actually, even with DEP. So the only logical explanation is the test without EMET was done with DEP with it's default opt-in setting. And that they added EMET "AND" turned it to either opt-out or always on, but neglected to mention that fact, for the other test.

And a first hand experience showed me that software DEP is hardly useless, when turned to opt-out or always on. When running the app in question sandboxed anyway. I wonder if it would've worked otherwise? SBIE kept the attack isolated, which probably caused it to become unresponsive... and that's why DEP fired. I wonder, if the app isn't sanboxed, if my computer doesn't just crash and DEP never kicks in? I'll never know now. Maybe I could ask the person to hit me with it again and run the session unboxed, lol.

I think I'll wait until I get my VM in place to do that... 0strodamus recommended a light one that I'm going to try out.

 

I think there's a misplaced concept of attack surface here if you think XP has less just because of its install size, but I don't think you want the thread to devolve.

If you intend to continue using it I highly suggest you force DEP system wide, and EMET as many programs as you can.

 

No... I was thinking more along the lines of needing like 30 services/processes running for it to function properly instead of a dozen... a few of which require internet access as well that don't on XP (like svchost for instance).

But if you want to get uber technical (I don't), all code is potential attack surface. In fact I think it was even you that said that before?... but I could be mistaken. So your scenario could be considered valid too.

I think the misplaced concept here is that XP Pro is an insecure OS personally. Out of the box... yes. But in the right hands... far from it. And that's what I attempt to point out whenever I see it belittled.

But yeah this is all going OT. And I don't want this thread being closed after further review.

 

I did say that before, and I agree with it, but if we're not going to get into it it seems silly to elaborate lol

 

Cool, are you sure you have hardware-DEP? Which processor...? Of course you can verify (if you haven't set AlwaysOn) on DEP tab (from System CP) where you choose OptIn/OptOut: At the bottom, make sure it does NOT say: "Your computer's processor does not support ..." (Like would have been there before, although not with AlwaysOn/Off set AFAIK.)

Now if you have real DEP, it's possible that you may run into issues with something that doesn't support DEP if you run with AlwaysOn. In that case use OptOut, and wait for me to release the DLL that makes everything else act the same as AlwaysOn (it's ready now, works great, but want to set up a page, and finish a little companion .exe program first ).

Just FYI: "real" hardware-DEP will NOT work inside your VM, unless your processor has Virtualization Technology (and enabled in BIOS) and your VM software is configured to use it. So if you're attempting to test DEP in the VM, you may be in the same situation again, without actual DEP, without VT.

 

Yes, the CPU supports both hardware DEP & virtualization... confirmed using a tool at GRC, "secureable"... or something. And confirmed that it was enabled in my BIOS as well.

Box is a Dell Inspiron 530 with a Core 2 Duo E6750 CPU.

I ran that secureable tool on the box at his house to make sure first. Otherwise my quest would have been a waste. I wasn't even looking for/expecting the virtualization, but it happens to support it too so I'm not complaining.

Heck, as far as I'm concerned I have my current gen box right here, lol. I know by mosts standards it hardly is, but I think I could run Win7 x86 just fine with this CPU and 4 GB of RAM. After I figure out how to trim the thing, which I would, even thrive on it. It wouldn't take to x64 too well but I wouldn't go that route for awhile anyway, until software/vendors catch up to it a bit.

 

Working on something, eh?

 

Oh, awesome! That's a more recent and better processor than I was expecting -- and a Core 2 Duo. Yeah, the VT can come in handy (extra features, like VM DEP, besides making VM faster).

I had forgotten about GRC's Securable program, oops!

 

I was thinking the same thing regarding how you felt compelled to offer your 2 cents whilst saying you didn't think I wanted the thread to devolve again...

I'd guess because we both wanted to get our points in before the bell. I at least admit it.

 

I've been pretty careful not to try to state why I think XP is less secure, only trying to explain what mitigations are available on it.