sick of all updates

So far I've only focused on kernel/system security. If ring 0 is compromised, everything below is too. There is no way to isolate the kernel against the rest of the system. Now lets have a look at application/user space level security.
Ring 3 usually has access to everything a user cares about (files, credentials...) A compromise therefore is just as devastating as full system "pwnage".

But it doesn't have to be like that. Privilege isolation is possible on that level.
user accounts, fs permissions, sandboxing, MAC etc. can protect your data against application exploits. If you got a tight security setup, ring 3 security becomes less and less important, of course you still need to follow best practice, least privilege, don't mix up trusted and untrusted environments, read, understand and apply the documentations, don't get social engineered and all that (- and keep said security software patched, not updating those is even worse than not updating the system, recursion if you use built in like SRP...)

Back to kernel security. Almost all compromises pass first through ring 3 and then compromise ring 0 through privilege exploitation. This in turn means having any kind of untrusted code execution in ring 3 is a severe risk for the whole system, it's the first success in a staged attack from the attacker's perspective. Pure ring 0 are very rare, for example there've been wlan driver exploits and other nic vulns. You can do absolutely nothing against them today (Qubes OS is working on it by putting the whole networking inside a separate VM and there are some experimental/eternally "not ready" microkernels which put drivers outside of ring 0 into user space).

The question now is, are these security boundaries for ring 3 strong enough to prevent a ring 0 compromise. In reality, certainly. Widespread in the wild exploits are pretty boring: exploit vuln, drop binary, execute.
But they could become a lot more advanced, dll from memory loading is the best example. It circumvents AE, AV and HIPS.
Or take this one:
http://www.microsoft.com/technet/security/bulletin/ms10-078.mspx
How do you protect yourself against this?
Say you browse a site with embedded crafted OTF fonts, inside sandboxie, inside lua, on top of returnil. Knowing how this stuff usually works the shell code downloads a file and tries to execute it, with AE the exploit stops right there, without it the exploit will run within sandboxie and can't compromise the real system. But it doesn't have to do that, the shell code runs with kernel privileges! It could disable sandboxie and returnil, it could patch the kernel, install backdoors all over it...
Is there any protection besides keeping your system up to date?
Another one, this time truetype fonts:
http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx
EOT: http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx
EMF/WMF: http://www.microsoft.com/technet/security/Bulletin/MS09-006.mspx
and more, lots, tons more, have look, grep for "privilege escalation":
http://secunia.com/advisories/product/22/?task=advisories

 

Fair enough, but you are you, and other person is one other person. For example, I know from other threads that you run Faronics AE, isn't that right? So, you do not keep Adobe Reader updated, because you don't need the features the newest version(s) offer, but you got the means to prevent any possible threats from taking advantage of Adobe Reader's vulnerabilities, correct, be it anti-executable or any other, for that matter)?

Adobe Reader is one thing. But, do you keep Faronics AE updated, if a known vulnerability is found that makes it noneffective?

And, does every other single person also have the same skills to deal with such mitigations, like dealing with anti-executables, hips, etc? I have my doubts. So, they rely on updates, come they sooner or later. If they know or have someone that can help them understand more about how certain things work, than it's great, otherwise, and unless they start looking for that information, how will they?

OK. That kills any PDF exploits happening, if they were to open them in the browser. So, if the browser is set to trigger for an action, the user needs to make a proper decision on whether or not it was something he/she initiated.

Then again, do you really think that all people know or learnt how to tweak their browsers? Not really. Why do you think that so many people still see their systems become infected? Because they have no notions on how to tweak their browsers, pdf readers, etc, and operating system. Most solely rely on antivirus and updates. So, I do believe updates are crucial.

I have set Chromium to family members running Windows 7, and I have applied to it a low integrity level. For Chromium to be able to download files, it also needs to access the user Temp folder, which runs at medium level; so it can't access it. Nothing gets downloaded to their systems, unless they start it via the download manager I installed.

This kills any exploit. But, it was me doing it, not them. They wouldn't know how.

Unfortunately, that is a real problem. Luckily, Adobe finally decided to harden their pdf reader.

 

The vulnerable executable loads the dll. Any remote code execution vulnerability can load a dll from memory (so far the space constrains of the shellcode allow), that dll can do anything with privileges of the exploited program (and escalate...)

Attacker code in kernel can disable the virtual layer or bypass it. It got full kernel privs, the kernel has full access to the hardware, just do a low level write (mbr rootkit for example) which bypasses any higher level protection.

 

I am personally totally "sickned" by the whole update hell in general , be that the necessity of updating games or the eternal update and upgrade hell in general .....

But though, as I wrote earlier, understand the "thread starters" position/view point then I run a fully patched version of Windows on the "Box" I use to communicate with you on this forum. I am in a crowd that uses a lot advanced security measures that I would rather be without if I could, so I uses the updates and a relatively conservative set of all time active security programs , plus I do scans with some other security programs when I feel like it.

I do however think that my views in general on the whole matter is quite bizar and strange sounding to most people as I am not a huge fan of the eternal update and upgrade hell in general . I would rather not go into extreme details with all of this but let us just say that I could do without a new set of Windows every X years.

Short statement : "I understand why updating is necessary..."
Below here then followed an explanation (some would consider it rambling) that I unfortunately had to choose not to publish.
(I have been monitored and followed even in physical "off-line" life more times, one time even on the sidewalk by a guy on a motorbike, so I would be wise not to write certain things. I have no true anonymity here, alas.. , sorry....)

 

oh you tease


Just in case you think it's a Windows/Microsoft problem.
I've been running OS X and Linux for years and let me tell you: It's worse there. Updates aren't nearly that tested (except for those stable server/workstation distros like Debian and RHEL but they come with their own set of annoyances). OS X updates are huge monolithic packages taking up way more bandwidth than every other OS. Linux releases are way more frequent than the commercial OSs. With both backwards compatibility is next to non existent. OS X 3rd party/ISV software is very quick in dropping support for the last release and with Linux you are in for some fun editing plain text files and compiling or worse patching source code if the software you want isn't supported by your distro and no one bothered to release binaries for your specific release. Not using the latest version of either OS means a lot of headaches, worse than running Window 2000 in 2010...

Of course there's one difference, Linux is free and OS X updates are cheaper and on Linux system requirements don't really change, you can keep your old hardware and driver support is no issue, if it worked once it will keep on running and running.

 

Updates. Upgrades. What are those? There are updates/upgrades for tons of stuffs in real life, aside from software, and for all sorts of categories. Do you really need to be updated all the time? News, headlines, newest models of cars, cameras, laptops, etc etc..

And what about getting yourself a new wife/girlfriend because the current one is getting too 'old' and 'naggy'?

Right, I'll put my jokes aside.

Personally, I'm sick of apps that updates almost every few days or weekly and from what can be deduced from the change-log (or whatever one calls it) doesn't provide much of 'benefits' (up to the individual interpretation).

This is especially more so if it's something that requires manual act on my part and the app/program is something that I hardly use or interact with in my day-to-day usage.

"New" can be good but not necessarily so all the time. "Patching" does have it's merits but it brings grief too at times...ever had one?

Assuming features aside and the focus being on security, one may want to look at this:
The Six Dumbest Ideas in Computer Security

Look at "Penetrate and Patch" heading and read. Here's a lengthy quote:

Others may disagree with the argument brought forward (it does come across as emotional argument to some, more than rational speak) but let's admit that there's some truth in what's stated. Right?

So, does that mean everyone should stop doing updates? For everything? Nope. It doesn't. There's a difference between critical and not-so-critical vulnerabilities...whatever that means to you. For some, that latest hot threat in town that has got everyone speaking/blogging has already been 'handled', 'covered' by whatever means one has taken upon whereas for another, the generally perceived 'smaller' threat may actually be the one that has a higher magnitude of causing problems. After all, one man's meat is another man's poison.

Personally, what it means (at least for me) is that one ought to be more selective and careful in his/her decision whether or not to update/upgrade....for like all things in life, there's a trade-off somewhere. Whether or not that trade-off is worth the risk is ultimately the end-user's choice and responsibility. You've got to figure out the cost vs value ratio on your own...no one can tell you that.

Telling everyone to do updates blindly is as good as telling them to dive into the sea without any swimming experience. And same goes for blindly telling them not to do updates at all.

You can't help the user solve security problems with just updates. No doubts that it does help there are other layers to be taken care off too. Keyword here is all about finding the balance....going extreme ends helps no one but merely bring out a good argumentative essay. I know there's the irony here with my long post but I can't help it...

P.S. Personal practice: If I deem that particular update to be a slight annoyance that takes only a small part of my time, and wouldn't cause my much of a grief if things 'break', then I'll DO the update. If things do 'break', then I'll try to find what's causing it or if I'm plain too lazy, I'll just revert back to the older version and touch wood hoping that things go fine.

Windows Updates is a mess of it's own, you decide how you want to handle it. I set it notify me but I'll choose to download/install them on my own. That's because my primary OS is still supported. Windows 7. And the updates aren't just for 'security'. Bug-fixes etc etc. If it wasn't, I'll figure out to keep it 'updated' on my own...for my needs that is because there's no way I can possibly cover every single threat out there. Enumerating badness is a bad idea too.

 

@ safeguy

You do have some good points, but I'd like to make emphasis on something you quoted from the link you provided.

Unless I'm misunderstanding what the author meant, it's said that both security researchers and vendors are stupid, simply stupid, because one part is discovering vulnerabilities and the other part fixing them.

Now, I ask: Why are the vendors fixing them?
I'll try to answer: Maybe because other folks are letting such vulnerabilities coming to public knowledge?
Which, in turn, makes me want to ask this: Would software vendors fix them if no one but them and the hackers knew about them? For all a end-user would know it was his/her own fault something bad happened, not the vendors for providing (free or paid) buggy software.

The author also seems to be considering that no programmer will ever make programming errors? They may do their best effort, but bugs will always exist. Now, this also makes me want to ask: Would the author rather prefer for no one to try and find vulnerability bugs in software and report them?

The same author seems to believe as well that users shouldn't be educated.
What I know, I know because I wanted to learn more and I did it on my own. Did I waste my time wanting to learn more on how threats actually work and what I can do to protect myself better?

And, this shows that users shouldn't be educated about computer security? It shows precisely the opposite, IMO, that they should be educated.

I wonder what this author is all about I wonder if he wasn't educated as well to know what he knows? Yeah, education, what for... Go watch Big Brother or something like that... a lot better.

I see that he is/was a developer.... Hmmm... I guess we found a pristine one; we just need to clone him and from now on, no more bugs, at all.

 

Ranum is a renowned security expert. He knows what he's talking about from years of experience.
User in that context means employees. In other words: If educating our employees was going to help protecting our enterprise network it would have helped already.
I'm not sure if that means educing is dumb (Period), but it certainly means the way user education is currently handled isn't very effective and ultimately security should, no, must never depend on it.
Educating "yourself" - an entirely different topic...

And penetrate and patch? Security researchers will always be needed. But they shouldn't be hunting down dumb programming errors. You know about grsecurity and EMET? They are able to block almost all currently known exploits with the notable exception of return orientated attacks (ret2libc and similar). We could write very secure software and Operating Systems, there've been research projects like Coyotos which also involved creating a new programming language, BitC and there are formally verified systems like L4 embedded. They are designed in a way that makes regular penetrate and patch redundant. Of course there will be errors, but those will be implantation errors, design errors, in other words "exciting stuff".

You might ask, if there are these great uber secure systems, why aren't we using them (apart from flight control, power plants and so on). Security is a trade off and outside the circle of security researchers it simply doesn't matter if something is designed secure as long as it's just barely secure enough. But Mr. Ranum wouldn't be good at what he does if he didn't keep on ranting.
His eye is on perpetually insecure software, Adobe comes to our mind.
Keeping patching Reader was dump, absolutely, utterly stupid and any security "researcher" looking for yet another exploit was wasting his time. I they already got the point across in version 5 or so. Though admittedly as Adobe didn't listen for years they had to continue exposing the software, a point he probably overlooked.
Now version X is released, they implemented a security feature that's secure by design. If you look for flaws in the sandbox you are most likely not dumb, you broke out of the BASIC loop and every flaw fixed will actually have an impact on the security of the software. It's not about absolute security, goes without saying that's impossible. But you won't be featured in "bug of the week" as he put it.

Hope I made his arguments a bit more clear :=)

 

Yes, indeed, you have! I guess it was a problem of interpretation. Next time I'll read twice or even a third time, to make sure I properly understood it.

But, one thing that I disagree is that it is not a waste of time to educate employees; the waste of time is perhaps the methods that are used to educated them and, also the examples that are given, if any at all. Maybe a start point, excluding all rest, would be for the enterprises to choose better their IT staff, if employees still keep doing the same mistakes with their systems. Something is wrong, and I bet the fault isn't just the employees. It's always the method and who applies it, IMO.

 

Valid point. I agree too that one must try to spread the knowledge if possible. But from what I understand, what Ranum is saying is that most of the times, educating employees (or let's say your auntie or grandmother in a family home context) CAN be a waste of time if the one being taught upon isn't willing to learn or practice/apply/make use of the knowledge given/shared. In that sense, educating is relatively a "dumb"-er idea in comparison to setting the system in a secure manner (aka lock-down) through policies for example.

How many security experts/gurus have told us repeatedly not to do this and that, etc? But still, the habit is still ongoing and the problems resulted from the same old trick hasn't died, right? Users are still getting duped by simple tricks like opening up file attachments from unknown email for example. No one is able to stop the foolishness or curiosity of the user if he/she is still adamant about opening up that lottery scam mail or nudepics.txt.exe. He/she is still going to open it up no matter how many times you've told him/her not to. Even experienced users are susceptible to human mistakes at times. No one is perfect. The only thing you can do is mitigate the risk by setting the right policies which is more favorable (relatively 'smarter' idea) as given the example here:

Now, do you see where he's going when he states that 'educating users is a bad idea'? It's not to be taken in a clear-cut word-for-word manner but rather in a subtly. That's where the difference lies. Apart from that, the consensus remains the same among the 3 of us.

 

Didn't read all. But ime XP runs alot faster with SP2 than with SP1.

 

Try SP3. SP3 'seemed' faster to me than SP2 when I was using XP. No guarantees though.

Anyway, I've got 1 question: why are some users still sticking to SP2 and not upgrading to SP3. I can understand if they have some apps that are not supported but is there any other particular reason that I'm not aware of? Just curious that's all...

 

If that situation arose, yes, I would update.

I hoped that my scenario in the above post implied that only those who understood how certain things work (Adobe Acrobat in this case) should continue to use an older application.

In my own case, I deal with two different levels of expertise. Those as above, and the average user who doesn't care nor have the time to deal at a technical level with these matters. With them, Windows Updates are set to automatic, and I insure that they understand the update policies of their other applications that are prone to attack.

Keeping with the Adobe example: The users bookmark the Adobe site as the *only* place to update the Reader. This prevents social engineering exploits, such as

Adobe Acrobat Spam Going Strong - More to Come?
http://isc.sans.edu/diary.html?storyid=9982

Instructed properly, users will have no difficulty in making the correct decision, as I indicated above: if they didn't go looking for that PDF file, it's ignored.

I've never attemped to speak for *all people* - just those with whom I'm in contact.

In that sense, the OP is speaking just for himself, and I don't see in any of his posts that he is implying that others should do the same.
----
rich

 

yes i'm behind a router and firewall all unnecessary [to me] services stopped as stated i update my firefox [portable] and its add-ons i have image backup which i haven't needed as yet i don't run any programs on c:drive other than windows,office2000, macrium,returnil,sanboxie all my programs are portable running from 2 external drives

 

Bad guys concentrate on bypassing most commonly used setups which is usually a realtime AV.

 

i hope you're not trying to portray me as a badguy

thats why they're one step ahead

as i stated in another thread i was taught by hackers
who are now working for the man
and getting paid very well
in top level security

 

I feel like we are doing pretty good here and are at least one step ahead of the bad guys we have to worry about.
With "we" I mean the knowledgeable Wilders posters and with bad guys I mean the usual suspects who distribute fake AVs, trojan codecs, datafile.exe email attachment, pdf/flash exploit of the week (or simply as I always put it, "boring stuff" and "same old news") - for monetary gain.

Oh and "hackers" are the good guys, if you use the term correctly.

 

thanks guys still hacking away

 

I wish Didier Stevens holds true to his promise so I can test his PDF with the 'loading dll in memory' exploit inside Sandboxie. I don't know about space constraints of shellcodes, how an attacker can get by with that and be able to do something significant as against Sandboxie for e.g.

Now I would like to know how can the attacker code in kernel would be able to disable the virtual layer and bypass it. So called Antisandboxie malwares come and goes and were never able to bypass it.

I remember one time a tester executed a killdisk trojan in Sandboxie but the low level writes to the MBR was deflected by Sandboxie. This was running in Admin mode if I remember.

 

No such thing exists, that's why we haven't seen a single malware that could break out of Sandboxie.
Anti-Sandboxie means that a malware tries to detect whether it's run withing sandboxie first before executing its malicious payload in order to trick users into believing it's benign so they execute it natively where it infects the system or in order to stay under the radar of the anti-malware crowd who usually work within VMs and Sandboxes.

But that doesn't mean one couldn't exploit say vulnerable Adobe running within Sandboxie on a vulnerable NT kernel in a targeted attack. I don't say it's easy but it's possible.

 

That and those who bragged that they can bypass Sandboxie but to no avail.

Yes, it's possible as it is possible to bypass DEP, SEHOP, ASLR, etc.

 

Those EOT and the EMF/WMF vulnerabilities are those rare types with both arbitrary code execution and privilege escalation. Good for everyone those are patched already. If folks like us who haven't patched are to be targetted by hackers we are sitting ducks. Imagine EMF/WMF renamed as jpg files or incorporated as media files getting passed through Sandboxie and Returnil or to a host of layered defences in order to low level writes on the MBR. It's a good thing the threadstarter has image back ups as the final recourse.

Now, the host of other privilege escalation exploits including the zeroday that bypasses UAC if coupled with the loading of the dll from memory can do the same theoretically speaking. The only thing that could possibly save us are image back ups, EMET(DEP, SEHOP, ASLR) or any other anti memory corruption attacks like heaplocker. How about running sandboxed virtual machines?

 

Not so rare I think, pretty much every kernel vulnerability that doesn't depend on privileged calls can do that. In the Linux world the kernel is the second most attacked and exploited software right after Firefox... Judging from the impressive Stuxnet attack it's not far fetched to assume that there are more 0day kernel vulns circulating than MS would ever admit.

Based on this assessment VMs is the only way to achieve strong layered security with the current monolithic kernels we are stuck with. It's the essential idea behind the Qubes OS project. Only that way arbitrary code execution in kernel space doesn't automatically equal full system compromise.

We are seeing more and more anti memory corruption techniques implemented, but I think there's still no way to block return oriented attacks, so that approach is limited too.

 

I meant those 2 vulnerabilities have that "remote" arbitrary execution aspect. Other kernel exploits require local access(attackers have to trick a user to click) or another arbitrary code execution exploit just in the case of malwares like Stuxnet(2 zero day to gain local access to the system and 2 zero day privilege escalation to subvert the windows kernel). Yes, being two out of a thousand with that "remote" capability is not rarer after all. lol (jk)

What is scary with the EMF/WMF kernel exploit for e.g it can disguised itself as another benign image file in a web page and just viewing the image file, the embedded code could gain kernel access and subvert any AV/HIPS/sandboxes/AE/lite virtualizer protections. But then again if all it does is download and execute, same old boring stuff as Rmus always says.

 

http://secunia.com/advisories/product/22/?task=statistics
Quickly glossing over the secuina stats, the majority of all exploits is labeled "from remote" however privilege escalations themselves are comparably rare - though still 3rd most frequent. To draw any conclusions as to how these two relate is an exercise left for the reader

But does it even matter? If you got a local kernel exploit you now have to stage two separate exploits, one remote in any network facing program or one that handles tampered files, then load a dll which in turn does the local privilege escalation. The hard part is circumventing security systems and owning the kernel, getting remote code execution first is a peace of cake in comparison.