Home Tags Computer Emergency Response Team (CERT)

Tag: Computer Emergency Response Team (CERT)

CERT to Microsoft: Keep EMET alive

Microsoft wants to stop supporting its Enhanced Mitigation Experience Toolkit (EMET) because all of the security features have been baked into Windows 10.

A vulnerability analyst says Windows with EMET offers additional security protections not available in standalone Windows 10. "Even a Windows 7 system with EMET configured protects your application more than a stock Windows 10 system," said Will Dormann, a vulnerability analyst with the Computer Emergency Response Team (CERT) at Carnegie Mellon University’s Software Engineering Institute. Originally introduced in 2009, EMET adds exploit mitigations, including address space layout randomization (ASLR) and data execution prevention (DEP), to Windows systems to make it harder for malware to trigger unpatched vulnerabilities.
Since Windows 10 includes EMET’s anti-exploit protections by default, Microsoft is planning to end-of-life the free tool in July 2018.

CERT’s Dormann said Microsoft should keep supporting the toolkit because Windows 10 does not provide all of the application-specific mitigations available in EMET. “Windows 10 does indeed provide some nice exploit mitigations.

The problem is that the software you are running needs to be specifically compiled to take advantage of them,” Dormann said. OS-level vs application-level defenses Dormann argues that Microsoft should keep supporting the toolkit -- currently EMET 5.51 -- because it provides both system-wide protection and application-specific mitigations that make the toolkit relevant for Windows security, even on Windows 10 systems. EMET’s system-wide protections include the aforementioned ASLR and DEP, Structured Exception Handler Overwrite Protection (SEHOP), Certificate Trust (Pinning), and Block Untrusted Fonts.

EMET’s application-specific protections include DEP, SEHOP, ASLR, Null Page Allocation, Heapspray Allocations, Export Address Table Access Filtering (EAF), Export Address Table Access Filtering Plus (EAF+), Bottom-up Randomization (BottomUP ASLR), Attack Surface Reduction (ASR), Block Untrusted Fonts, and Return-Oriented Programming mitigations. Microsoft’s principal lead program for OS security, Jeffrey Sutherland, recently said that users should upgrade to Windows 10 since the latest operating system natively includes the security features provided by EMET.

That is true to some extent, as DEP, SEHOP, ASLR, BottomupASLR, and ROP mitigation (as Control Flow Guard) are part of Windows 10, but many of the application-specific mitigations are not. What Sutherland neglected to consider was that most Windows administrators rely on EMET to apply all of the available exploit mitigations to applications.

Consider that a Windows 10 system with EMET properly configured has 13 additional mitigations -- the application-specific controls -- than a standalone Windows 10 system. "It is pretty clear that an application running on a stock Windows 10 system does not have the same protections as one running on a Windows 10 system with EMET properly configured," Dormann said. Application defenses still lagging Windows 10 may be the most secure Windows ever, but the applications have to be compiled to utilize the exploit mitigation features to actually benefit from those enhanced security features.

For example, if the application isn’t designed to use Control Flow Guard, then the application doesn’t benefit from Return-Oriented Programming (ROP) defenses, despite the fact that Control Flow Guard is part of Windows 10. "Out of all of the applications you run in your enterprise, do you know which ones are built with Control Flow Guard support? If an application is not built to use Control Flow Guard, it doesn't matter if your underlying operating system supports it or not," Dormann said. The problem isn’t limited to just third-party and custom enterprise applications as there are some older -- but still widely used -- Microsoft applications which don’t access the advanced exploit mitigations.

For example, Microsoft does not compile all of Office 2010 with the /DYNAMICBASE flag to indicate compatibility with ASLR.

An attacker could potentially bypass ASLR and exploit a memory corruption vulnerability by loading a malicious library into the vulnerable application’s process space. Ironically, administrators would protect the application from being targeted in this way by running EMET with application-specific mitigations. "Because we cannot rely on all software vendors to produce code that uses all the exploit mitigations available, EMET puts this control back in our hands," Dormann said. Don’t pick sides; do both Microsoft says to start migrating to Windows 10 and stop using EMET by 2018.

A senior engineer at CERT, tasked by the United States Department of Homeland Security to make security recommendations of national significance, says EMET still offers better security than standalone Windows 10. What is a Windows administrator to do? The answer, according to Dormann, is to follow both recommendations: Upgrade to Windows 10 to take advantage of native exploit mitigation features, and install EMET to apply application-specific mitigations. EMET will continue to keep working even after its end-of-life date, which means administrators can still use the tool to protect unsupported software against possible zero-day vulnerabilities.
Several other Microsoft applications are nearing their end-of-life dates, including Microsoft Office 2007.

Administrators can continue to use EMET to protect these applications from attacks looking for zero-day vulnerabilities. “With such out-of-support applications, it is even more important to provide additional exploit protection with a product like EMET,” Dormann said. It’s possible that with Microsoft’s new Windows-as-a-service model, the remaining EMET defenses will be added to Windows 10 before the end-of-life date, at which point Windows 10 would be able to handle the application-specific protections without EMET. Until then, EMET is “still an important tool to help prevent exploitation of vulnerabilities,” Dormann said.

Free ‘cyber hugs’ for all is the plan at New Zealand’s...

Kiwis plan a CERT with heart, not just a shield for business Kiwcon Kiwi security incident responders are gearing up to go live with New Zealand's first computer emergency response team (CERT) next March.

And in a change of tack for CERTs, New Zealand's will help all businesses, not just the top end of town. Declan Ingram, program manager and heavy lifter with CERT NZ says it will help small businesses all the way to enterprises and government with incident response, and will even supply security engineers from the private sector with intelligence. The well-known former penetration tester told the Kiwicon hacker conference CERT NZ is running a ten-month sprint to start up after being announced in May 2016. "It (CERT NZ) is really, really different to a lot of other CERTs which are focused on critical infrastructure, focused on their memberships," Ingram says. "The CERT we're building is for everybody, which is fantastic, except that there is a finite amount of resources and an awful amount of people who can benefit from the help. "A big part of what the CERT is going to be doing is connecting people." Declan Ingram.
Image: Darren Pauli / The Register Ingram says it will be able to assist and liaise with victims; analysts; enforcers such as police; security providers; fixers who "mop up" after incidents, and champions who help with public education. He invites security vendors to contribute intelligence to the CERT to help build New Zealand's "herd immunity" for security threats. It will not be a business' "personal response team" however, nor cop,security information and event management box, or security operations centre. "It is about providing assistance, giving information back, and giving people cyber hugs," Ingram told the 2000 attending hackers in Wellington, Friday. "If you've been ransomware'd [sic], you call up and we'll ask 'show us where it hurts' and help you get on with your life," he says. The CERT operates under New Zealand's Ministry of Business Innovation and Employment, and takes over from an ad-hoc collection of security nice guys including the NZITF and other global CERTs. Its five core functions include: Incident response and triage; Situational awareness and information sharing; International collaboration with a tight-bit network of global CERTs; Advice and outreach, and; Co-ordination of serious cyber incidents. Ingram invited interested security types to apply for limited roles at the CERT through the Ministry of Business Innovation and Employment. ® Sponsored: Customer Identity and Access Management