Protecting core productivity apps with EMET

This week Microsoft released a toolkit designed to help IT professionals protect systems from common threats.  Named the Enhanced Mitigation Evaluation Toolkit (EMET), this little gem is easy to implement, once you install the very small executables on your workstations.

Before I walk you through setting up FireFox, I want to take a minute to tell you why you should care about this.

Why you should care

In its initial release, EMET protects against exploitation of four common attack vectors.  When an application is “configured,” requisite behavior necessary for an effective compromise of a system is blocked.  The following information is from readme.rtf included in the downloadable EMET .zip file:

1. SEHOP – Structured exception handling (SEH) chain validation breaks SEH overwrite exploitation techniques.
2. Dynamic DEP – Certain portions of memory are marked as non-executable.  Using EMET, you can target specific applications instead of fighting with compatibility issues caused by setting DEP in the BIOS.
3. Null page allocation – Attackers are blocked from taking advantage of NULL dereferences in user mode.
4. Heap spray allocation – Heap spraying involves filling a process’ heap  with specially crafted content to aid system exploitation.  EMET pre-allocates those memory addresses and blocks these attacks.

Although Microsoft hasn’t testing all possible applications, they have successfully tested the following:

1. iexplore.exe (IE) – although there are apparently some problems getting IE to behave all the time.
2. winword.exe (Word)
3. excel.exe
4. acrord32.exe (Acrobat Reader)
5. firefox.exe
6. outlook.exe
7. powerpnt.exe

The developers of EMET warn it isn’t for everyone.  Since EMET turns off functionality some applications may need to work as expected, it should only be used by IT personnel willing and able to work through possible issues.

Using EMET

Using EMET starts with a quick download of a .zip file.  Extract the file in a folder not generally accessible.  This helps prevent unwanted visitors to the target system from messing with them.

Once I extracted the files on my Windows 7 Ultimate desktop, I was in such a big hurry to start testing I forgot about my “new enhanced” security.  EMET is run from a command prompt and requires elevated privileges.  So my initial run was thwarted until I performed the following steps to bring up a command line window with the proper permissions:

1. Click Start
2. Type Command Prompt in the search field.
3. Right click on Command Prompt at the top of the programs list to bring up the window shown below.
   

   Figure 1

4. Click Run as administrator

I then followed the simple example in the readme document to protect FireFox, as shown in Figure 2.

 

Figure 2

Pressing Enter resulting in a successful run of EMET.  I confirmed this by listing all protected applications.  See Figure 3.

Figure 3

That’s all there is to it.  EMET works with

• 32-bit Windows XP, Server 2003, Server 2008, Vista and Windows 7
• 64-bit Vista, Windows 7 and Windows 2008 R2

Security Note: New method for detecting forgeries

A new visualization approach to detecting forgeries was presented this summer at EuroVis 2009.  Songhua Xu demonstrated how pen angle and pressure provides enough information to determine if a signature, for example, is a forgery.

In this image, the signatures at the top are genuine.  It is easy to see that what Songhua Xu calls the “lilly” is different and inconsistent on the bottom, forged examples.  Supposedly, any forgery is easily detectable no matter how close it “looks” to genuine one.

Interesting Find: Chrome exposes links

Have you ever wanted to see where a link takes you or whether it actually downloads what you expect?  If so, you know there are add-ons for FireFox and other browsers that provide this functionality.  However, I just noticed this morning while working within my research SandBoxie sandbox that Google Chrome apparently provides this functionality out-of-the-box.

When I hover my mouse icon over a link, the destination or file references appears in the lower left corner of my browser window.  Not perfect, but a nice quick-check.

Security Tip: Patching must include ALL applications

Once again, patching isn’t just about plugging holes in Windows.  Most if not all applications have security vulnerabilities if someone looks hard enough.  Up until now, however, finding those vulnerabilities was harder than just whacking the OS.  But Microsoft has settled into a patch release routine that, when followed, pretty well hardens servers and user workstations.  And although there are still vulnerabilities, the level of effort required to find and exploit them has become harder—more difficult than shifting focus to widely installed user applications.

Adobe is experiencing attacker-love now.  They are a good target because their reader is everywhere. 

Adobe’s software has increasingly come under attack in recent years as hackers have come to realize that it can be easier to find flaws in popular software that runs on top of Windows than to dig up new vulnerabilities in the operating system itself.

That’s led to a round of new attacks that exploit bugs in products such as Adobe’s Reader, Apple’s QuickTime, and the Mozilla Firefox browser, for example.

It’s a reality that Adobe Chief Technology Officer Kevin Lynch freely acknowledged Monday in a press conference at the company’s annual Adobe MAX developer conference, held in Los Angeles.

Source:  After attacks, Adobe patches now come faster, Robert McMillan, Computerworld, 6 October 2009

But Adobe isn’t the only end user application on your endpoints.  It’s critical to get ahead of the attack curve by developing an overall patch process today, BEFORE that new user productivity tool becomes a target.

For Software Downloads, Go Directly to the Source

Search engine results for download sites offering hard to get or difficult to find popular software are increasingly used by attackers to ply their insidious craft.  Users looking for an easy way to circumvent vendor constraints or to find popular free software must practice caution.  This isn’t a new warning, but it apparently needs repeating.

The following appeared yesterday in an article at The Register:

Surfers also need to be wary about hunting for Microsoft’s new freebie anti-malware scanner via search engines. Websense further warns that scareware distributors have poisoned search engine results so that sites passing off fake anti-virus scanners appear prominently in searches for Microsoft Security Essentials.

Both the Google Wave and Microsoft Security Essentials attacks rely on black hat Search Engine Optimisation techniques. Wrongdoers typically break into well-established sites and create webpages stuffed full with relevant keywords, cross-linked to other sites compromised in the same way. The tactic is designed to trick search engines into pushing doctored sites higher in search engine indexes for relevant terms.

Source:  Google Wave search poisoned by scareware scammers, John Leyden, The Register, 1 October 2009

And there’s more.  The following appeared in a related article:

Two ongoing scams are tricking Google and other search engines into prominently displaying millions of compromised webpages that attempt to hijack end users’ computers or steal their credit card numbers, researchers said.

One of the attacks is being used to direct people searching the web to an online store hawking pirated copies of popular software titles. Plugging the phrase “cheap vista for students” into Google, for instance, returned more than 19 million results, many of which redirected users to a site called soft4pcs.com.

A separate attack is the work of a botnet dubbed ASProx, which injects malicious links into misconfigured ASP webpages. Users who enter a wide array of search queries, such as “used corvette parts“, received results pointing to a page that redirected to ads-t.ru, which attempted to serve a hostile Adobe Flash file that installs malware

Source:  Google results flog millions of compromised webpages, Dan Goodin, The Register, 1 October 2009

So if you or someone you know is looking for a free AV scanner or is trying to get their hands on an invite for the newest beta, go directly to the source; avoid second-hand sites unless you are certain they are trustworthy.