October 30, 2013 at 13:30Exploit Protection for Windows Users
Exploits are a special type of malware that is used by cybercriminals to install various Trojan programs or backdoors on a user's computer. This installation operation using exploits is invisible to the user, which gives attackers undeniable advantages. The exploit is trying to exploit a vulnerability in a particular OS component to carry out such an operation.
For the user, the most dangerous scenario is the use of an exploit by attackers, which allows you to remotely install code in the OS. In this case, it is enough for a person to visit a compromised web resource for infection with malicious code (drive-by). If a vulnerable version of the software is installed on your computer: a browser or plug-ins for it, then the likelihood that you can become infected with malicious code is very high.
Updating the OS, as well as installed software, is a good practice as manufacturers regularly close vulnerabilities that reappear in it. The components through which the user is exposed to particular risk include the following:
In the case of special targeted attacks or attacks like "watering hole", attackers can use 0day vulnerabilities in software and OS. Vulnerabilities, which at the time of their use by attackers were not yet closed by the vendor, have a similar name.
Antivirus products can detect exploits by signature. Thus, it allows you to protect the user from malicious content on the fly by blocking the corresponding web page with malicious content.
Modern editions of Microsoft Windows: Windows 7, 8, and 8.1 have built-in mechanisms that protect the user from the destructive actions of exploits. These features include:
PDF files
Files intended to be opened in Adobe Reader, Acrobat are in PDF format and are quite dangerous, especially if they are obtained from unreliable sources. Adobe has expanded PDF to the maximum possible level, allowing you to embed all kinds of content there. One of the main advantages of using PDF documents is cross-platform, provided that the reader (Adobe Reader) is available for the platform you need.
In many cases, cybercriminals use malicious PDFs to deliver malware to the user. If the used version of Adobe Reader is vulnerable, there is a high probability of a computer infection.
In view of the high risks of using PDF documents from insecure sources, and also taking into account the sluggishness of users in security matters, modern versions of Adobe Reader have a special “Protected Mode” for viewing documents or “sandboxing” (Protection in an isolated software environment). When using this mode, the code from the PDF file is completely prohibited from performing certain potentially dangerous functions.
Fig. Sandbox mode settings in Adobe Reader.
By default, protected mode is in the disabled state. Despite the active checkbox “Enable protected mode at startup”, it is disabled because the option to use this mode is in the “Disabled” state. Accordingly, after installing the program, it is highly recommended to transfer this setting to the “For files from potentially unsafe sources” or “All files” mode.
Please note that when you enable protected mode, Adobe Reader disables a number of functions that can be used in PDF files. Therefore, when you open a file, you may receive the following notification.
Fig. Tooltip indicating active protected viewing mode.
If you are sure of the origin of this file, you can activate all its functions by clicking the corresponding button.
Adobe Flash Player
Attackers are very fond of Adobe Flash Player. Since its plugins for playing content are used in all browsers, the search for vulnerabilities in it and their subsequent use for malicious purposes is an extremely priority task for attackers.
Like other software from Adobe, Flash Player is regularly updated as part of its update series (Adobe Security Bulletins). Most of these vulnerabilities are of the Remote Code Execution type, which means that attackers can use this or that vulnerability to remotely execute code.
Manufacturers of web browsers like Adobe do not sit still and build in special protection mechanisms from exploits that use Flash Player plugins. Browsers such as MS Internet Explorer (v10 on Windows 8), Google Chrome, and Safari OS X (the latest version) launch Flash Player in the context of a sandbox process (i.e., sandboxes), restricting access to this system to many system resources, places in the file system and networking.
A very important feature is the timely update of the Flash Player plug-in for the browser. Browsers such as Google Chrome and Internet Explorer 10 are automatically updated with the release of the new version of Flash Player, so the player for them will be updated automatically.
To check your version of Adobe Flash Player, use official. source Adobehere .
In addition, browsers support the ability to completely disable the Flash Player plugin, to prevent the browser from playing such content. We have already written a detailed article about the problems of using the Java plug-in in browsers here . Disabling the Flash Player plugin is done in a similar way.
For Google Chrome.
“Settings” -> “Show advanced settings” -> “Content settings” -> “Disable individual modules”.
For Internet Explorer.
Service -> Configure Add-ons.
ESET Exploit Blocker
It is an add-on for proactive defense in the latest versions of the seventh-generation antivirus products ESET Smart Security and ESET NOD32 Antivirus. Unlike conventional static signature detection, the Exploit Blocker module analyzes the behavior of the application for suspicious actions and tricks used by exploits. After detection of such actions, they are analyzed and the malicious process is immediately blocked. Some of these actions are subject to additional analysis in our cloud, which provides additional opportunities to protect users from targeted attacks and attacks using 0day exploits.
MS Internet Explorer and Google Chrome
We already wrote at the beginning of our material that the most preferred method of attacking users for attackers is remote code execution through a browser (drive-by download). One way or another, regardless of the installed plugins, the browser itself can contain and, potentially, contains a certain number of vulnerabilities. If the vulnerability has already been investigated by the developers and an update has been released for it, the user can install the update and not worry that attackers will compromise his OS. On the other hand, if attackers use an as yet unknown vulnerability, i.e., one that has not been closed (0day), the situation for the user is complicated.
Many modern web browsers and operating systems incorporate technology to isolate the application process, thus preventing any actions that the browser is not supposed to perform. In general, this technique is called sandboxing and allows you to impose restrictions on the actions performed by the process. One example of this isolation is the fact that modern browsers (e.g. Internet Explorer and Chrome) execute their tabs as separate processes in the OS, thus allowing you to set permission to perform certain actions on a particular tab, as well as ensuring the stability of the browser itself . In the event that one of the tabs freezes, the user can complete it without completing the others.
Modern versions of MS Internet Explorer (IE10 & 11) have a special sandboxing technology called Enhanced Protected Mode. This mode allows you to limit the actions of the tab or plug-in process and thus complicate the operation of the browser for attackers.
Fig. The sandboxing mode for Internet Explorer, which has been available since version 10.
Enhanced Protected Mode (EPM) was improved for Windows 8. If you use EPM in Windows 7 x64, then this feature ensures that browser tabs are launched as 64-bit processes (by default, IE launches its tabs as 32-bit processes). Note that EPM is disabled by default.
Fig. EPM Demo on Windows 7 x64 [usingMS Process Explorer ]. With this option turned on, the processes of browser tabs start as 64-bit, which complicates their ability to operate to install malicious code.
Starting with Windows 8, Microsoft introduced support for sandboxing at the OS level. The technology is called "AppContainer" and allows you to maximize the benefits of this mode for EPM. Internet Explorer tab processes with active EPM function in AppContainer mode. In addition, EPM is enabled by default in Windows 8.
Fig. EPM demo on Windows 8, AppContainer (aka sandboxing) enabled for tabs.
Fig. Differences in EPM on Windows 7 & 8.
Google Chrome, like IE, also has special features to prevent drive-by download attacks. But unlike him, the sandboxing mode for Chrome works constantly and does not require additional actions to enable it by the user.
Sandboxing mode for Chrome means that tab processes start with reduced privileges, which prevents them from performing various system actions.
Fig. Sandboxing mode as implemented in Google Chrome. Almost all SIDs for SID users in the access token have Deny status, which prohibits the process from performing important system functions that are allowed to these groups.
Fig. Chrome uses a special job object, which includes all browser processes. The object allows you to limit the actions of the application in relation to the resources of the OS, preventing the exploitation of the browser by cybercriminals.
In addition to this mode, Google Chrome has the ability to block malicious URLs or sites that have been blacklisted by Google as distributing malware ( Google Safe Browsing ). This feature is similar to the URL database in Internet Explorer SmartScreen.
Fig. Google Safe Browsing in Google Chrome in action.
Java
In relation to the browser and the OS, it is a virtual machine (or JRE) for executing Java applications. The platform independence of such applications makes Java very popular to use, today it is used on more than three billion devices.
Like other browser plug-ins, the Java plug-in is attractive enough for attackers to use, and given their previous experience of using vulnerabilities, we can say that Java is the most dangerous component of all other browser plug-ins.
In our earlier article about problems using Java on your systemWe wrote how you can disable this plugin for various browsers if you do not use Java applications and do not want to endanger yourself.
When you use Java on Windows, the security settings of this program can be adjusted using the applet in the control panel. In addition, its latest versions allow you to configure security settings in more detail, which allows you to run only trusted applications.
Fig. Update settings for Java. Checking for updates is enabled by default, the user is notified before the download operation.
To completely disable Java in all browsers used in the system, uncheck the “Enable Java content in the browser” setting in the Java applet.
Fig. Unchecking “Enable Java content in browser” completely disables the ability to use plugins in installed browsers.
EMET
Microsoft is releasing a free tool for users to help protect the OS from attack methods used in exploits.
Fig. EMET interface.
The Enhanced Mitigation Experience Toolkit (EMET) uses proactive methods to block various exploit actions to protect applications from attacks. Despite the fact that modern Windows 7 and Windows 8 have built-in, enabled by default, DEP and ASLR capabilities aimed at mitigating the consequences of exploitation, EMET allows you to introduce new features to block exploit actions, as well as enable DEP or ASLR forcibly necessary processes (to strengthen system protection on older versions of the OS).
EMET is configured separately for each application, that is, to protect the application through this tool you need to specify it in the corresponding list. In addition, there is a list of applications for which EMET is enabled by default, for example, Internet Explorer, Java, Microsoft Office suite programs.
For more information on using EMET and an overview of its features, see our corporate blog .
OS
Some Windows components that we did not pay much attention to above can also be used by cybercriminals to remotely execute code or increase privileges.
Fig. Patch tuesday monthly patch statistics for various Windows components. The rating shows the components that were updated more often than others for the first half of 2013.
The above rating shows that the largest number of vulnerabilities were closed for Internet Explorer, over twelve vulnerabilities were closed in twelve updates, and six of them had is-being-exploited-in-the-wild status at the time of closing, i.e. . were actively exploited by attackers.
The second most repaired component is the well-known driver of the windows subsystem - win32k.sys, which ensures the operation of the graphics system in kernel mode. Vulnerabilities in this component are used by cybercriminals to increase privileges in the system, for example. Bypassing UAC restrictions
Please note that by default in Windows 7 & 8 it is possible to automatically deliver updates to the user. You can also check for updates through the control panel.
[1] The Security Architecture of the Chromium Browser link
[2] Understanding IE Enhanced Protected Mode link
For the user, the most dangerous scenario is the use of an exploit by attackers, which allows you to remotely install code in the OS. In this case, it is enough for a person to visit a compromised web resource for infection with malicious code (drive-by). If a vulnerable version of the software is installed on your computer: a browser or plug-ins for it, then the likelihood that you can become infected with malicious code is very high.
Updating the OS, as well as installed software, is a good practice as manufacturers regularly close vulnerabilities that reappear in it. The components through which the user is exposed to particular risk include the following:
- Browsers (MS Internet Explorer, Google Chrome, Apple Safari OS X, Mozilla Firefox, etc.).
- Browser plugins (Adobe Flash Player, Oracle Java, MS Silverlight).
In the case of special targeted attacks or attacks like "watering hole", attackers can use 0day vulnerabilities in software and OS. Vulnerabilities, which at the time of their use by attackers were not yet closed by the vendor, have a similar name.
Antivirus products can detect exploits by signature. Thus, it allows you to protect the user from malicious content on the fly by blocking the corresponding web page with malicious content.
Modern editions of Microsoft Windows: Windows 7, 8, and 8.1 have built-in mechanisms that protect the user from the destructive actions of exploits. These features include:
- DEP & ASLR mechanisms that significantly complicate the possibility of exploiting a particular vulnerability in software and OS by imposing restrictions on the use of non-executable memory and placing programs in memory at arbitrary addresses. DEP & ASLR on Windows 7+ is used at the highest possible level.
- User Account Control, UAC , which has been modified since Windows 7 and requires confirmation from the user to run programs that need to change system settings and create files in system directories.
- SmartScreen filter for the OS (starting with Windows 8 for the OS), which helps prevent the user from downloading malware from the Internet based on his Microsoft reputation information.
- A special “Enhanced Protected Mode” for Internet Explorer (starting with IE 10). On Windows 8, it allows you to launch browser tabs in the context of isolated processes that are limited in performing certain actions. For Windows 7 x64 allows you to launch browser tabs as separate 64-bit processes.
PDF files
Files intended to be opened in Adobe Reader, Acrobat are in PDF format and are quite dangerous, especially if they are obtained from unreliable sources. Adobe has expanded PDF to the maximum possible level, allowing you to embed all kinds of content there. One of the main advantages of using PDF documents is cross-platform, provided that the reader (Adobe Reader) is available for the platform you need.
In many cases, cybercriminals use malicious PDFs to deliver malware to the user. If the used version of Adobe Reader is vulnerable, there is a high probability of a computer infection.
In view of the high risks of using PDF documents from insecure sources, and also taking into account the sluggishness of users in security matters, modern versions of Adobe Reader have a special “Protected Mode” for viewing documents or “sandboxing” (Protection in an isolated software environment). When using this mode, the code from the PDF file is completely prohibited from performing certain potentially dangerous functions.
Fig. Sandbox mode settings in Adobe Reader.
By default, protected mode is in the disabled state. Despite the active checkbox “Enable protected mode at startup”, it is disabled because the option to use this mode is in the “Disabled” state. Accordingly, after installing the program, it is highly recommended to transfer this setting to the “For files from potentially unsafe sources” or “All files” mode.
Please note that when you enable protected mode, Adobe Reader disables a number of functions that can be used in PDF files. Therefore, when you open a file, you may receive the following notification.
Fig. Tooltip indicating active protected viewing mode.
If you are sure of the origin of this file, you can activate all its functions by clicking the corresponding button.
Adobe Flash Player
Attackers are very fond of Adobe Flash Player. Since its plugins for playing content are used in all browsers, the search for vulnerabilities in it and their subsequent use for malicious purposes is an extremely priority task for attackers.
Like other software from Adobe, Flash Player is regularly updated as part of its update series (Adobe Security Bulletins). Most of these vulnerabilities are of the Remote Code Execution type, which means that attackers can use this or that vulnerability to remotely execute code.
Manufacturers of web browsers like Adobe do not sit still and build in special protection mechanisms from exploits that use Flash Player plugins. Browsers such as MS Internet Explorer (v10 on Windows 8), Google Chrome, and Safari OS X (the latest version) launch Flash Player in the context of a sandbox process (i.e., sandboxes), restricting access to this system to many system resources, places in the file system and networking.
A very important feature is the timely update of the Flash Player plug-in for the browser. Browsers such as Google Chrome and Internet Explorer 10 are automatically updated with the release of the new version of Flash Player, so the player for them will be updated automatically.
To check your version of Adobe Flash Player, use official. source Adobehere .
In addition, browsers support the ability to completely disable the Flash Player plugin, to prevent the browser from playing such content. We have already written a detailed article about the problems of using the Java plug-in in browsers here . Disabling the Flash Player plugin is done in a similar way.
For Google Chrome.
“Settings” -> “Show advanced settings” -> “Content settings” -> “Disable individual modules”.
For Internet Explorer.
Service -> Configure Add-ons.
ESET Exploit Blocker
It is an add-on for proactive defense in the latest versions of the seventh-generation antivirus products ESET Smart Security and ESET NOD32 Antivirus. Unlike conventional static signature detection, the Exploit Blocker module analyzes the behavior of the application for suspicious actions and tricks used by exploits. After detection of such actions, they are analyzed and the malicious process is immediately blocked. Some of these actions are subject to additional analysis in our cloud, which provides additional opportunities to protect users from targeted attacks and attacks using 0day exploits.
MS Internet Explorer and Google Chrome
We already wrote at the beginning of our material that the most preferred method of attacking users for attackers is remote code execution through a browser (drive-by download). One way or another, regardless of the installed plugins, the browser itself can contain and, potentially, contains a certain number of vulnerabilities. If the vulnerability has already been investigated by the developers and an update has been released for it, the user can install the update and not worry that attackers will compromise his OS. On the other hand, if attackers use an as yet unknown vulnerability, i.e., one that has not been closed (0day), the situation for the user is complicated.
Many modern web browsers and operating systems incorporate technology to isolate the application process, thus preventing any actions that the browser is not supposed to perform. In general, this technique is called sandboxing and allows you to impose restrictions on the actions performed by the process. One example of this isolation is the fact that modern browsers (e.g. Internet Explorer and Chrome) execute their tabs as separate processes in the OS, thus allowing you to set permission to perform certain actions on a particular tab, as well as ensuring the stability of the browser itself . In the event that one of the tabs freezes, the user can complete it without completing the others.
Modern versions of MS Internet Explorer (IE10 & 11) have a special sandboxing technology called Enhanced Protected Mode. This mode allows you to limit the actions of the tab or plug-in process and thus complicate the operation of the browser for attackers.
Fig. The sandboxing mode for Internet Explorer, which has been available since version 10.
Enhanced Protected Mode (EPM) was improved for Windows 8. If you use EPM in Windows 7 x64, then this feature ensures that browser tabs are launched as 64-bit processes (by default, IE launches its tabs as 32-bit processes). Note that EPM is disabled by default.
Fig. EPM Demo on Windows 7 x64 [usingMS Process Explorer ]. With this option turned on, the processes of browser tabs start as 64-bit, which complicates their ability to operate to install malicious code.
Starting with Windows 8, Microsoft introduced support for sandboxing at the OS level. The technology is called "AppContainer" and allows you to maximize the benefits of this mode for EPM. Internet Explorer tab processes with active EPM function in AppContainer mode. In addition, EPM is enabled by default in Windows 8.
Fig. EPM demo on Windows 8, AppContainer (aka sandboxing) enabled for tabs.
Fig. Differences in EPM on Windows 7 & 8.
Google Chrome, like IE, also has special features to prevent drive-by download attacks. But unlike him, the sandboxing mode for Chrome works constantly and does not require additional actions to enable it by the user.
Sandboxing mode for Chrome means that tab processes start with reduced privileges, which prevents them from performing various system actions.
Fig. Sandboxing mode as implemented in Google Chrome. Almost all SIDs for SID users in the access token have Deny status, which prohibits the process from performing important system functions that are allowed to these groups.
Fig. Chrome uses a special job object, which includes all browser processes. The object allows you to limit the actions of the application in relation to the resources of the OS, preventing the exploitation of the browser by cybercriminals.
In addition to this mode, Google Chrome has the ability to block malicious URLs or sites that have been blacklisted by Google as distributing malware ( Google Safe Browsing ). This feature is similar to the URL database in Internet Explorer SmartScreen.
Fig. Google Safe Browsing in Google Chrome in action.
Java
In relation to the browser and the OS, it is a virtual machine (or JRE) for executing Java applications. The platform independence of such applications makes Java very popular to use, today it is used on more than three billion devices.
Like other browser plug-ins, the Java plug-in is attractive enough for attackers to use, and given their previous experience of using vulnerabilities, we can say that Java is the most dangerous component of all other browser plug-ins.
In our earlier article about problems using Java on your systemWe wrote how you can disable this plugin for various browsers if you do not use Java applications and do not want to endanger yourself.
When you use Java on Windows, the security settings of this program can be adjusted using the applet in the control panel. In addition, its latest versions allow you to configure security settings in more detail, which allows you to run only trusted applications.
Fig. Update settings for Java. Checking for updates is enabled by default, the user is notified before the download operation.
To completely disable Java in all browsers used in the system, uncheck the “Enable Java content in the browser” setting in the Java applet.
Fig. Unchecking “Enable Java content in browser” completely disables the ability to use plugins in installed browsers.
EMET
Microsoft is releasing a free tool for users to help protect the OS from attack methods used in exploits.
Fig. EMET interface.
The Enhanced Mitigation Experience Toolkit (EMET) uses proactive methods to block various exploit actions to protect applications from attacks. Despite the fact that modern Windows 7 and Windows 8 have built-in, enabled by default, DEP and ASLR capabilities aimed at mitigating the consequences of exploitation, EMET allows you to introduce new features to block exploit actions, as well as enable DEP or ASLR forcibly necessary processes (to strengthen system protection on older versions of the OS).
EMET is configured separately for each application, that is, to protect the application through this tool you need to specify it in the corresponding list. In addition, there is a list of applications for which EMET is enabled by default, for example, Internet Explorer, Java, Microsoft Office suite programs.
For more information on using EMET and an overview of its features, see our corporate blog .
OS
Some Windows components that we did not pay much attention to above can also be used by cybercriminals to remotely execute code or increase privileges.
Fig. Patch tuesday monthly patch statistics for various Windows components. The rating shows the components that were updated more often than others for the first half of 2013.
The above rating shows that the largest number of vulnerabilities were closed for Internet Explorer, over twelve vulnerabilities were closed in twelve updates, and six of them had is-being-exploited-in-the-wild status at the time of closing, i.e. . were actively exploited by attackers.
The second most repaired component is the well-known driver of the windows subsystem - win32k.sys, which ensures the operation of the graphics system in kernel mode. Vulnerabilities in this component are used by cybercriminals to increase privileges in the system, for example. Bypassing UAC restrictions
Please note that by default in Windows 7 & 8 it is possible to automatically deliver updates to the user. You can also check for updates through the control panel.
[1] The Security Architecture of the Chromium Browser link
[2] Understanding IE Enhanced Protected Mode link