Tag Archives: Microsoft EMET

Adobe Releases Flash Security Update Due To New Exploit

Yesterday Adobe released an emergency security update for Flash Player that they had previously announced earlier this week. This update was released ahead of the next Update Tuesday since the Magnitude Exploit kit(defined) is exploiting a zero-day vulnerability (defined) in order to infect devices/systems with ransomware (defined) specifically the Cerber and Locky variants.

The update address 24 critical security vulnerabilities (more formally known as CVEs (defined) one of which (as mentioned above) is currently being exploited and has been since at least the 31st of March according to the security firm Proofpoint.

=======================
Update: 13th April 2016:

Microsoft issued their security update for Windows 8.1 (Internet Explorer) and Windows 10 users (Microsoft Edge and Internet Explorer, respectively). Further details are available in their security bulletin.

Thank you.
=======================

(Please see update above): At the time of writing Microsoft had not yet made available the relevant updates for Microsoft Edge or Internet Explorer. They now do so by releasing a separate security bulletin. The full list of security bulletins is available from this page. Google reacted quickly releasing version 49.0.2623.112 of Chrome which includes the updated Flash Player v21.0.0.213.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). As explained by Sophos the automatic updater of Flash Player updates systems in phases in order to avoid too much congestion on Adobe’s servers.

As always I would recommend that if you have Flash Player installed to install the necessary update as soon as possible. You can check if you have Flash Player installed using this page.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

Google Chrome Benefits From Windows 10 Security Mitigations

Earlier this year in February, Google added several new security mitigations (defined within this post) to Google Chrome that work in partnership with lesser known changes within the Windows 10 update (known as Build 10586 or Version 1511) made available by Microsoft in November last year.

How Do These New Techniques Work?
In total 3 new mitigations were added:

    1. Block un-trusted fonts
    On numerous occasions over the last year Microsoft have released security updates that address vulnerabilities related to Windows handling of fonts (examples here, here and here (among others)). Such vulnerabilities are of interest to attackers since when successfully exploited they provide the attacker with kernel mode privileges (defined). The concept of a kernel is defined here. A mitigation designed to make exploiting such vulnerabilities more difficult is present in the most recent version of Microsoft EMET version 5.5 and is discussed in more detail on page 11 of the EMET user guide as well as this TechNet article.

    Windows 10 features a system wide means of blocking the use of fonts to only the Windows Font directory (folder) by default located at: C:\Windows\Fonts However due to the application compatibility issues that this feature can cause it is turned off by default. While the ability to enable this security feature for running applications on a per process (defined) basis is available this is unsuitable for Chrome since it creates multiple processes with different security permissions applied. However, the November 2015 Windows 10 added the ability to enable the blocking of fonts for individual processes of which Chrome can now take advantage of.

    2. Block the creation of child processes
    This mitigation is intended to block an attacker’s exploit from creating new running processes without any restrictions of the Google Chrome sandbox (discussed below) on a Windows device if they are successful at exploiting Google Chrome. Google Chrome has always incorporated a protective sandbox (defined) that prevents malicious code from being able to make changes to the computer upon which Google Chrome is installed.

    To address a vulnerability reported by Google to Microsoft in late 2014; the Windows 10 November update provides the ability to applications (if they choose to use it) to block the ability to create child processes including console processes (disused further in the Google bug report linked to above). This new capability is now utilized by Google Chrome.

    3. Block the loading of DLLs (defined) from network drives
    While Windows provides the ability for an application to load a DLL from a network location (e.g. a mapped network drive); this can be used by an attacker to insert malicious code into a legitimate application (e.g. if they substitute a legitimate DLL in a network location with a malicious DLL of the same name).

    This ability has been disabled within Google Chrome when it’s installed on Windows 10 with the November 2015 update further hardening it against this type of attack. This capability is similar to the defences of Microsoft Edge against DLL injection.

    Conclusion
    All of the above new mitigations provide defence-in-depth (defined)(PDF) security against possible future vulnerabilities and provide further incentive for Windows users to migrate to Windows 10. Please do not misunderstand me I am not trying to advocate that users do so, I am simply pointing out the additional security features that are available if you choose to use Windows 10 (with the November update) and Google Chrome in combination.

    Thank you.

Microsoft Releases EMET 5.5

====================
Update: 11th July 2017:
As noted in a new blog post, an upcoming update to Windows 10 will contain some features of EMET. Further details are available in the above mentioned blog post.

Thank you.
====================

====================
Update: 14th March 2017:
Since my last update of this post EMET was updated to version 5.52 to resolve the following issues:

  • An issue with the EAF mitigation that causes some applications to hang on Windows 7 SP1.
  • A fix to the MSI installer to allow in-place upgrade behavior.
  • Removed EAF+ mitigation for Chrome from “Popular Software.xml”
  • Fixed import behavior for System Mitigations.

Thank you.

====================
Update: 17th November 2016:
====================
Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018. Further details are available in this blog post.

However Microsoft updated EMET in August 2016 to version 5.51 which incorporates the following minor changes:

  • EMET 5.5 GUI crashing on startup
  • Unexpected BitLocker warning in EMET 5.5 when changing system-wide DEP setting

Further details on EMETs mitigations as well known compatibility issues are listed in this article. A more detailed forum thread on this topic is available here.

Thank you.
====================

====================
Update: 17th November 2016:
Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018. Further details are available in this blog post.

However Microsoft updated EMET in August 2016 to version 5.51 which incorporates the following minor changes:

  • EMET 5.5 GUI crashing on startup
  • Unexpected BitLocker warning in EMET 5.5 when changing system-wide DEP setting

Further details on EMETs mitigations as well known compatibility issues are listed in this article. A more detailed forum thread on this topic is available here.

Thank you.
====================

Update 23rd February 2016:
According to this FireEye blog post EMET 5.5 also addresses a critical security vulnerability that was responsibly disclosed (defined) to Microsoft.

As mentioned below, if you use a version of EMET prior to version 5.5, please use the links provided to install version 5.5. as soon as possible. Thank you.

Update 3rd April 2016:
As discussed in a more recent blog post the Untrusted font mitigation of EMET 5.5 is now used by Google Chrome when installed on Windows 10 (with the November 2015 update). Thank you.

=======================
Original Post:
=======================
In early February Microsoft released version 5.5 of their Enhanced Mitigation Experience Toolkit (EMET).

This is an important update for users of Windows 10 since it adds full compatibility with that version of Windows in contrast to the previous 5.2 version of EMET. The full list of changes in this new version is available in this Microsoft blog post.

In addition, this version adds a noteworthy enhancement for Windows 10 users that blocks exploit that use font files stored in any directory (folder) in order to gain additional privileges when either remotely or locally (already have a presence) attacking your system. All fonts not stored in the %windir%/Fonts directory will not be loaded. If you are currently using an older version of EMET, please consider upgrading to EMET 5.5 to take advantage of the enhancements in this update. Further resources concerning installation, use and obtaining support for EMET are available on the Protecting Your PC page of this blog.

Please note that in order to migrate previous EMET settings to version 5.5 Microsoft have provided a PowerShell script to do so. Instructions for using this script to migrate the settings are available on page 33 and 36 of the EMET 5.5 users guide.

Thank you.