Posts

Windows 7: What is your company’s exit strategy?

/0 Comments/in /by

If your business is still running on Windows 7, you have some important decisions to make, and not a lot of time remaining. Windows 7 support officially ends in less than a year, on January 14, 2020. After that date, Microsoft will stop delivering security updates automatically, and by then most third-party vendors will have dropped support as well.

Most businesses completed their planning for migration to Windows 10 long ago and are in the final stages of implementing that plan. If you’re still procrastinating, it’s time to get serious.Which one you choose depends on why your organization is still clinging to Windows 7.

If the main reason is inertia, you’ll need to find something to motivate yourself. You could, for example, calculate the costs of cleaning up after a successful ransomware attack that spreads over your network, including the loss of business while you scramble to recover. If you’re in a regulated industry, you might want to find out whether running an unsupported operating system puts you at compliance risks, which can result in hefty fines and a loss of business when customers find out.

The other possible deployment blocker is a compatibility problem. For most Windows 7 apps, compatibility shouldn’t be an issue. If your business depends on specialized hardware or line-of-business software that absolutely will not run on Windows 10, you might be able to make a case for paying to extend the support deadline. But that just delays the inevitable by a year or two, or at most three. Your search for a replacement should be well under way by now.

Options are :

OPTION 1: SWITCH TO LINUX

Something tells me that most businesses that have stuck with Windows 7 until nearly the bitter end have already considered and rejected this option. That’s especially the case for those businesses that are constrained by compatibility issues related to a mission-critical Windows app.

But sure, if you’re willing to completely replace your desktop infrastructure and switch out every productivity app you use, that’s a preferable alternative to the next option on the list.

OPTION 2: DO NOTHING.

On January 25, 2020, Windows 7 won’t stop working. In fact, you’re unlikely to notice any changes. If you feel lucky, this is certainly an option. You might even consider the lack of monthly updates a welcome feature.Spoiler alert: This is a very bad idea, one that exposes you to all manner of possible bad outcomes.

If you absolutely must keep one or more Windows 7 PCs in operation, perhaps because they’re running a critical app or controlling a piece of old but essential hardware, the best advice I can offer is to completely disconnect that machine from the network and lock it down so that it only runs that one irreplaceable app.

OPTION 3: PAY FOR EXTENDED SUPPORT.

When Windows XP support ended in April 2014, Microsoft offered to continue delivering patches for XP devices owned by large organizations that paid for Custom Support Agreements. But those contracts didn’t come cheap. For Windows 7, the extended support option is far more democratic. In September 2018, Microsoft announced its plan to offer paid Windows 7 Extended Security Updates (ESUs). You won’t need megabucks, either: Although Microsoft has yet to publish a price list, an insider  that the annual cost for an ESU contract will be $50 per device, with that price tag going up to $100 in year two and $200 in year three.That escalating price schedule is intended to serve as a disincentive to Windows 7 users who might otherwise be tempted to kick the can a little further down the road. Customers who have paid for Windows Software Assurance contracts or who have Windows 10 Enterprise or Education subscriptions will get a discount but will still be subject to significant price hikes in years 2 and 3.

You can eliminate the extra cost of Windows 7 Extended Security Updates completely if you move your workloads to virtual machines in Microsoft’s Azure cloud. That option will be available using the new Windows Virtual Desktop option, which should be available as a preview soon. For businesses that only need to virtualize individual line-of-business applications, this could be a cost-effective option.

OPTION 4: BITE THE BULLET AND UPGRADE.

If you don’t have any compatibility issues that need to be addressed first, the simplest and most straightforward route is to put together a deployment plan and begin executing it. But the details of tha plan matter, especially if you want to avoid the headaches of the “Windows as a service” model.

As always, of course, the easiest upgrade path is via hardware replacement. Any device that’s five years old or more is an obvious candidate for recycling. Devices that were designed for Windows 10 and then downgraded to Windows 7 should be excellent candidates for in-place upgrades, after first making sure that the systems have the most recent BIOS/UEFI firmware updates.One not-so-obvious factor to consider is which Windows 10 edition to deploy. The obvious choice for most businesses is Windows 10 Pro, but I strongly suggest considering an additional upgrade to the Enterprise (or Education) edition.

Yes, machines running Windows 10 Pro allow your admins to defer feature updates, but the support schedule for Enterprise/Education is significantly longer: a full 30 months, as opposed to 18 months for Pro  (For a description of the new support schedule, including a chart that explains how the new schedule works, see “Windows 10 Enterprise customers will now get Linux-like support.”)

The other advantage of moving to the Enterprise/Education editions is the availability of a new support offering called Desktop App Assure. If you encounter a compatibility issue during the upgrade, you file a support ticket and get engineering support to resolve the issue.

For most businesses, the Windows Enterprise E3 and E5 subscription options are probably the easiest and most cost-effective here.

Whichever option you choose, though, now’s the time to get to work. That ticking sound is only going to get louder as January 2020 approaches.

How ASLR protects Linux systems from buffer overflow attacks

/0 Comments/in /by

ASLR (Address Space Layout Randomization) is a memory exploitation mitigation technique used on both Linux and Windows systems. Learn how to tell if it’s running, enable/disable it, and get a view of how it works.

Address Space Layout Randomization (ASLR) is a memory-protection process for operating systems that guards against buffer-overflow attacks. It helps to ensure that the memory addresses associated with running processes on systems are not predictable, thus flaws or vulnerabilities associated with these processes will be more difficult to exploit.

ASLR is used today on Linux, Windows, and MacOS systems. It was first implemented on Linux in 2005. In 2007, the technique was deployed on Microsoft Windows and MacOS. While ASLR provides the same function on each of these operating systems, it is implemented differently on each one.

The effectiveness of ASLR is dependent on the entirety of the address space layout remaining unknown to the attacker. In addition, only executables that are compiled as Position Independent Executable (PIE) programs will be able to claim the maximum protection from ASLR technique because all sections of the code will be loaded at random locations. PIE machine code will execute properly regardless of its absolute address.

ASLR limitations

In spite of ASLR making exploitation of system vulnerabilities more difficult, its role in protecting systems is limited. It’s important to understand that ASLR:

  • Doesn’t resolve vulnerabilities, but makes exploiting them more of a challenge
  • Doesn’t track or report vulnerabilities
  • Doesn’t offer any protection for binaries that are not built with ASLR support
  • Isn’t immune to circumvention

How ASLR works

ASLR increases the control-flow integrity of a system by making it more difficult for an attacker to execute a successful buffer-overflow attack by randomizing the offsets it uses in memory layouts.

ASLR works considerably better on 64-bit systems, as these systems provide much greater entropy (randomization potential).

Is ASLR working on your Linux system?

Either of the two commands shown below will tell you whether ASLR is enabled on your system.

$ cat /proc/sys/kernel/randomize_va_space
2
$ sysctl -a --pattern randomize
kernel.randomize_va_space = 2

The value (2) shown in the commands above indicates that ASLR is working in full randomization mode. The value shown will be one of the following:

0 = Disabled
1 = Conservative Randomization
2 = Full Randomization

If you disable ASLR and run the commands below, you should notice that the addresses shown in the ldd output below are all the same in the successive ldd commands. The ldd command works by loading the shared objects and showing where they end up in memory.

udo sysctl -w kernel.randomize_va_space=0	<== disable
[sudo] password for shs:
kernel.randomize_va_space = 0
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007ffff7fd1000) <== same addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007ffff7c69000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff7c63000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7a79000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd3000)
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007ffff7fd1000) <== same addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007ffff7c69000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ffff7c63000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7a79000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd3000)
If the value is set back to 2 to enable ASLR, you will see that the addresses
 will change each time you run the command.
$ sudo sysctl -w kernel.randomize_va_space=2	<== enable
[sudo] password for shs:
kernel.randomize_va_space = 2
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007fff47d0e000) <== first set of addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f1cb7ce0000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1cb7cda000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1cb7af0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f1cb8045000)
$ ldd /bin/bash
        linux-vdso.so.1 (0x00007ffe1cbd7000) <== second set of addresses
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007fed59742000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fed5973c000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fed59552000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fed59aa7000)

Attempting to bypass ASLR

In spite of its advantages, attempts to bypass ASLR are not uncommon and seem to fall into several categories:

  • Using address leaks
  • Gaining access to data relative to particular addresses
  • Exploiting implementation weaknesses that allow attackers to guess addresses when entropy is low or when the ASLR implementation is faulty
  • Using side channels of hardware operation

Wrap-up

ASLR is of great value, especially when run on 64 bit systems and implemented properly. While not immune from circumvention attempts, it does make exploitation of system vulnerabilities considerably more difficult. Here is a reference that can provide a lot more detail on the Effectiveness of Full-ASLR on 64-bit Linux, and here is a paper on one circumvention effort to bypass ASLR using branch predictors.

 

Side-Channel Attack Targets Windows, Linux

/0 Comments/in /by

A research team of experts from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel has published findings on page cache attacks. Unlike Spectre and Meltdown, this attack is a first-of-its-type, hardware-agnostic, side-channel attack that can remotely target operating systems such as Windows and Linux and effectively exfiltrate data, bypassing security precautions.

In explaining the attack, authors wrote: “Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4KB and a temporal resolution of 2 microseconds on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state-of-the-art cache attacks.”

After detailing background information on hardware caches, cache attacks, and software caches, the authors provide an attack threat model in which the researchers “assume that attacker and victim have access to the same operating system page cache. On Linux, we also assume that the attacker has read access to the target page, which may be any page of any attacker-accessible file on the system.”

In addition to mitigation strategies, the researchers also stated that they responsibly disclosed the vulnerability to Microsoft, and the company said it will roll out a fix.

“This attack class presents a significantly lower complexity barrier than previous hardware-based, side-channel attacks and can easily be put into practice by threat actors, both nation-state as well as cyber-gangs,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

“In particular, password recovery via unprivileged applications is a major worry, as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless. There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag,” said Hahad.