locked
Compatibility Issues with Windows 8 Release Preview build 8400 RRS feed

  • Question

  • I have installed Windows 8 RP build 8400 and EMET 3.0. I have configured it to maximum security settings and configured it to run with Internet Explorer and Java but it is not working. I am uploading pictures for better understanding.

    Picture 1 shows that java and iexplorer are not running EMET and Picture 2 shows that I have configured them to run.

     

    I think it's a compatibility issue and looking forward for a fast fix.

     Picture 1

    Picture 1

    Picture 2

    Picture 2

    Wednesday, June 13, 2012 12:03 PM

All replies

  • though I can't really tell for certain from the images and information you've provided it appears you've only protected a single copy of IE (64-bit or 32-bit but not both)

    also I'm unsure how the relationship between the metro with its enhanced protected mode and the desktop browser functions in relation to EMET

    did you configure IE with EMET while it was running in either desktop or metro?   did you reboot and reconfigure..?

    also protecting ieinstal and "flash util" amongst others on your list does nothing, as these arn't running processes . . . this misunderstanding/misconfiguration is likely why java is unprotected

    Sunday, June 17, 2012 3:00 AM
  • No I did not configure while it was running flash util is the flash activex for windows so that is why I used it it is important  and I think it is a compatibility issues .Perhaps emet support will reply someday soon
    Tuesday, June 19, 2012 5:27 PM
  • Hi harshvardhan92,

    That’s interesting and a little unnerving. I know that IE 10 in Modern UI mode runs in what is called kiosk mode (essentially this is a command line switch given to iexplore.exe at startup to set what mode it should start in (iexplore.exe –k). I will be trying out Windows 8 Release Preview later this week and I will be sure to test if I can reproduce this behaviour. The Modern UI version of IE should support EMET 3.0 this since it is the same .exe file of IE, just launching in a different mode. If it does not support it, this may be due to the already extensive defences of IE 10 in Moedrn UI mode namely:

    Defaults to 64 bit High Entropy ASLR (on x64 systems only) via ForceASLR (called mandatory ASLR in EMET 2.1 and 3.0)

    64 bit process (meaning fewer add-ons (less vulnerabilities and no DLLs that don’t support ASLR)) and DEP/NX is always on

    X86 shell code exploits cannot function

    Always on SEHOP

    Enhanced /GS protection (as introduced in Visual Studio 2010)

    All Bottom-Up and Top-Down allocations are now randomized using 8 bits of entropy (presumably this is the same as 8-bit Bottom Up Rand protection of EMET 2.1 and 3.0)

    Full details are available in the following blog posts:

    http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx

    http://blogs.msdn.com/b/ieinternals/archive/2011/05/24/shielding-applications-and-browsers-with-the-enhanced-mitigation-experience-toolkit.aspx

    http://blogs.msdn.com/b/ieinternals/archive/2009/05/29/q-a-64-bit-internet-explorer.aspx

    http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

    http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx

    I hope this helps. Thanks.




    • Edited by JamesC_836 Friday, October 12, 2012 2:51 PM Corrected IE mode naming
    Wednesday, June 20, 2012 9:35 PM
  • Hi harshvardhan92,

    Last weekend I installed Windows 8 Release Preview (Build 8400) in a VM and attempted to reproduce this issue. I succeeded in doing so. Both IE 10 32 bit and IE 10 64 bit are not protected by EMET even when both iexplore.exe executables are added to the EMET applications list. IE 10 in Modern UI mode is 64 bit only.

    Please find below links to screenshots that show the status of EMET (from within the EMET_GUI.exe and Process Explorer version 15.2 (EMET.dll or EMET64.dll should be loaded by IE 10 on start-up).

    IE 10 64 bit Modern UI Mode:

    IE 10 64 bit Metro Mode

    IE 10 64 bit Desktop Mode:

    IE 10 64 bit Desktop Mode

    IE 10 32 bit Desktop Mode:

    IE 10 32 bit Desktop Mode

    This is a fresh install of Windows 8 Release Preview which was installed using VMware Workstation 8.0.4 (Build 744019).

    Upon installing Windows 8, I proceeded to install EMET 3.0 by opening a Command Prompt as an Administrator, I then executed the EMET 3.0.msi installer. It informed me that the .Net Framework 3.5 SP1 was required to run EMET and would I like to download it? I accepted, downloaded and installed the .Net Framework 3.5 SP1.

    I then ran a check for updates using Windows Update and installed all of the offered updates which were (also shown in the screenshot linked to below):

    ----------------------------------------------------------------------------------------

    Security Update for Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package (KB2538243)

    Update for Windows 8 Release Preview for x64-based Systems (KB2718791)

    Update for Windows 8 Release Preview for x64-based Systems (KB2718704)

    Update for Windows 8 Release Previewforxô4-based Systems (KB2717246)

    Definition Update for Windows Defender - K82267602 (Definition 1.1 29.379.0)

    Screenshot:

    Updates Installed

    ----------------------------------------------------------------------------------------

    I then restarted the computer as directed once the updates were installed.

    I then opened the EMET_GUI configuration tool and added both the 32 bit and 64 bit versions of Internet Explorer 10 to the list of applications to protect with EMET.

    iexplore.exe (location: C:\Program Files\Internet Explorer ) --- (IE 10 64 bit)

    iexplore.exe (location: C:\Program Files (x86)\Internet Explorer ) --- (IE 10 32 bit)

    As the above screenshots demonstrate, EMET is not protecting IE 10 in Modern UI or desktop modes.

    @EMET Support: Please investigate this issue since according to the following blog post, EMET 3.0 working perfectly with Windows 8 Consumer Preview.

    http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

    For both harshvardhan92 and I, this is not the case. Is this is a regression fix that Windows 8 Release Preview now mistakenly contains?

    ----------------------------------------------------------------------------------------

    My system specification:

    System Model Name: Scan 3XS P67 OC

    Intel Core i7 2600K Quad Core with 8MB Cache, Overclocked (by OEM PC Builder) to 4.7 Ghz

    16GB (4x4GB) Corsair Vengeance CML8GX3M2A1600C9 LP DDR3 1600Mhz (CAS 9-9-9-24-2T)

    Asus P8P67 Pro Rev 3.0 (BIOS 1606)(Intel P67 Chipset)

    2x(in SLI) 1536MB EVGA Geforce GTX 580 SC, Factory Overclocked to 797 Mhz (GPU), 1594MHz Shader Clock, 4050 Mhz Effective Memory Clock, (Nvidia 301.42 WHQL Driver, (BIOS Versions (both cards): 70.10.12.00.82)

    Corsair HX1000 1000W Modular Power Supply

    600GB Western Digital VelociRaptor, SATA 6Gb/s, 10000rpm, 32 MB Cache (System Drive)

    2TB Western Digital Caviar Green, 64 MB Cache (Data Drive)

    Coolermaster HAF 912 Plus, Black Mid Tower Case

    LG BH10LS30 - 10x Blu-Ray Writer

    Creative X-Fi Titanium Fatal1ty Professional (Driver: 2.17.0008)

    Dell U2711 27 inch LCD, Connected via Dual Link DVI, Resolution set to 2560x1440

    Windows 7 Ultimate 64 Bit SP1

    ---------------------------------------------------------------------------------------

    Hardware Assigned to the Windows 8 VM:

    2 CPU cores (Intel Core i7 2600K) at 4.7 Ghz (Overclocked by OEM PC Builder)

    6 GB of RAM

    VMware SVGA 3D (Microsoft Corporation – WDDM) (with VMware driver 7.14.1.1134, dated 11th Nov 2011)

    Screenshot:

    VMware SVGA 3D Driver

    ----------------------------------------------------------------------------------------

    My EMET Config file:

    <EMET_Apps Version="3.0.0.0">

      <AppConfig Path="C:\Program Files (x86)\Internet Explorer" Executable="iexplore.exe">

        <Mitigation Name="DEP" Enabled="true" />

        <Mitigation Name="SEHOP" Enabled="true" />

        <Mitigation Name="NullPage" Enabled="true" />

        <Mitigation Name="HeapSpray" Enabled="true" />

        <Mitigation Name="EAF" Enabled="true" />

        <Mitigation Name="MandatoryASLR" Enabled="true" />

        <Mitigation Name="BottomUpASLR" Enabled="true" />

      </AppConfig>

      <AppConfig Path="C:\Program Files\Internet Explorer" Executable="iexplore.exe">

        <Mitigation Name="DEP" Enabled="true" />

        <Mitigation Name="SEHOP" Enabled="true" />

        <Mitigation Name="NullPage" Enabled="true" />

        <Mitigation Name="HeapSpray" Enabled="true" />

        <Mitigation Name="EAF" Enabled="true" />

        <Mitigation Name="MandatoryASLR" Enabled="true" />

        <Mitigation Name="BottomUpASLR" Enabled="true" />

      </AppConfig>

    </EMET_Apps>

    ----------------------------------------------------------------------------------------

    The screenshot below shows IE 10 32 bit (Desktop mode), IE 10 64 bit (Desktop) and IE 10 64 bit Modern UI mode running but with no EMET shim being loaded into the iexplore.exe binary file (in virtual memory).

    You can match the Process IDs with the above Process Explorer screenshots to determine which entry corresponds to which version of IE 10.

    EMET Status

    If you require any further information in order to troubleshoot this issue, please let me know.

    Thanks for your time.



    • Edited by JamesC_836 Friday, October 12, 2012 2:52 PM Corrected IE mode naming
    Tuesday, June 26, 2012 8:54 PM
  • hi ,

    hmm intresting , i wonder if any spyware from sony is to be found on the comp ,.....

    nice of you to use some systools to prove the point , ... hmmm maybe a full copy of the settings on your comp would be nice for support , ...

    hmmm going to reproduce this one on sunday

    have a nice day


    Scan with OneCare + Support ENDING for windows Vista & XP ! + Plagued by the Privacy Center? REMOVE IT + Threat Research & Response Blog + Sysinternals Live tools + TRANSLATOR + Photosynth + Microsoft Security + Microsoft SUPPORT + PIVOT from Live Labs + Microsoft Live Labs + Get OFFICE 2010 FREE ! 

    Tuesday, July 10, 2012 1:45 PM
  • I have meaning to tell this from long time but due to the lazy Microsoft team , I was avoiding it till this time. I was able to protect java by adding exes' of java from the oracle folder in program files.

    It would be nice if I could protect Internet Explorer . I have some doubts that this error has something to do with net framework .

    Anyway I read a report that attacks of stuxnet like viruses could be avoided by using sandboxing so I am currently sandboxing for added protection to Internet Explorer.

    Friday, July 13, 2012 5:40 PM
  • @Dabur972:

    I don’t need to provide a full list of the settings to Support since I changed nothing while setting up Windows 8. Every step that I carried out is detailed in my previous post.

    As for the presence of the Sony BMG rootkit, I remember Mark Russinovich announcing the discovery of this rootkit back in October 2005. According to the following blog post, the Microsoft Malicious Removal Tool was to be updated in order to remove this rootkit in December 2005.

    http://blogs.technet.com/b/antimalware/archive/2005/11/12/414299.aspx

    If you visit the download page of the Malicious Software Removal and examine the release history, you can see that this was indeed added to the tool in December 2005 as promised:

    http://support.microsoft.com/kb/890830

    Malicious software family   Tool version                                                 Current severity rating

    WinNT/F4IRootkit                 December 2005 (V 1.11)                          Moderate

    A lot has changed in terms of security since 2005. Windows now has ASLR (Windows 8 incorporates Force ASLR), SEHOP, (IE 9 and IE 10 use SafeSEH), the stack and the heap of Windows Vista and later are also randomized using ASLR. The fact that we are using EMET also provides EAF, NullPage,  HeapSpray and BottomUpRand mitigations. The 64 bit versions of Windows Vista and later also incorporate Windows Kernel Patch Protection (i.e. PatchGuard) that enforces that all drivers must be digitally signed (although there are some known methods of disabling this). The Sony BMG rootkit (aries.sys) was unsigned (see slide 10 of http://www.slideshare.net/tech2click/rootkit ) and in addition as pointed out by Mark Russinovich the system call table was hooked by this driver which is no longer allowed by x64 editions of Windows.

    http://msdn.microsoft.com/en-us/windows/hardware/gg487350.aspx

    In other words, this rootkit cannot install itself on Windows 8. You should have checked if this was possible before posting and assuming that my Windows 8 system was infected.

    In addition, the anti-malware signature for the Sony BMG rootkit was added to Windows Defender in December 2005 (an enhanced version which is now part of Windows 8). I say “enhanced” since the original Windows Defender did not an anti-virus engine only an anti-spyware/anti-adware engine). A fully updated version of Windows 8, Windows Defender found no infection. The July 2012 release of the Malicious Software Removal Tool (which includes a signature for the Sony BMG rootkit) did not detect it and an up to date version of the Microsoft Safety Scanner also found no infection:

    http://www.microsoft.com/security/scanner/en-us/default.aspx

    In addition, the following steps (obtained from: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=WinNT%2fF4IRootkit )

    To check for the presence of aries.sys
    1. Click Start, and click Run.
    2. In the Open text box, type: cmd
    3. Click OK. A command-line shell appears.
    4. At the command prompt, type: dir %windir%\System32\$sys$filesystem\aries.sys
    5. Press Enter. The system displays the name aries.sys if the file is present. Otherwise, the system displays "File Not Found".

      Result in a "File Not Found" message on my Windows 8 PC, as expected.

    So my system is NOT infected.

    • Edited by JamesC_836 Thursday, July 26, 2012 2:33 PM Added extra info.
    Thursday, July 26, 2012 2:20 PM
  • Hi,

    With some further brief testing, the 64 bit versions of Wordpad and Windows Media Player are now protected by EMET 3.0. The x86 i.e. 32 bit version of Windows Media Player also now works with EMET. Wordpad 32 bit crashes upon trying to open it with EMET for wordpad.exe enabled. This tells me that it is not compatible with EMET with default settings, disabling the SEHOP setting of Wordpad.exe (32 bit) resolved the issue and EMET is now working with Wordpad.

    IE 10 32 and 64 bit are still not protected by EMET.

    ---------------------------------------------------------------------------------------

    @harshvardhan92:

    Thanks for your update. I think your idea of using EMET with Java is a really good idea, Java is constantly updated due to fix security vulnerabilities.

    You don’t need to sandbox Internet Explorer. It already is sandboxed (it has been sandboxed using Protected Mode with IE 7 since Windows Vista). Windows 8 extends this sandboxing in what Microsoft calls Enhanced Protected Mode:

    http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

    MSDN info on Protected Mode:

    http://msdn.microsoft.com/en-us/library/bb250462(v=VS.85).aspx

    http://msdn.microsoft.com/en-us/library/windows/desktop/bb756991.aspx

    You can recognize if Protected Mode is enabled by examining the integrity level of any running iexplore.exe process. As you can see from the first screenshot below, IE 10 64 bit is running with Protected Mode enabled but its integrity for those websites that I had open (2 websites) is Low (but the parent process runs with Medium integrity). Both of the tabs are actually 32 bit processes.

    With Enhanced Protected Mode Enabled, I had 3 websites open and you can see that they are now 64 bit processes and have an Integrity level of App Container and so is sandboxed.

    Here is a detailed article on Enhanced Protected Mode and the new integrity level of AppContainer:

    http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx

    I suspect that EMET is not being enabled for IE 10 due to the new security mitigations that are available in Windows 8 but I would rather hear this from a person who knows the definitive answer rather than me making educated guesses.

    @EMET Support and Microsoft:

    Both harshvardhan92 and I would appreciate clarification on why EMET is not enabled for IE 10 under Windows 8. We wish to know if this is intentional or a bug in Windows 8 Release Preview?

    If you require any further information, please let me know. Thank you for your time.


    • Edited by JamesC_836 Friday, October 12, 2012 2:44 PM Corrected spelling error
    Thursday, July 26, 2012 2:23 PM
  • Also EMET 3.5 Tech Preview came out yesterday with new mitigations and still IE 10 is not working with it.

    I contacted them with the given id in there help pdf and they replied they will look into it.

    Thursday, July 26, 2012 5:45 PM
  • Also EMET 3.5 Tech Preview came out yesterday with new mitigations and still IE 10 is not working with it.

    I contacted them with the given id in there help pdf and they replied they will look into it.

    Hi harshvardhan92,

    Thanks for informing Microsoft of this issue with IE 10. It's great news that they are looking into it. Thanks also for the update about EMET 3.5 Tech Preview, much appreciated :)

    Thursday, July 26, 2012 6:50 PM