hake

Thank you Pedro. I hope that my musings, ravings and ramblings provide some extra insights which add knowledge. I now embark on my progress to a double century. In Office 97, MSOFFICE.EXE is the executable which, basically, manifests itself as a button bar on the desktop. I have just decided to cease using this button bar altogether (after 17 years) on suspicion that running MSOFFICE.EXE was causing an obscure problem with Experimental MBAE 1.05.3.1011. My suspicions have been rewarded as, although my previous changes had improved matters, glitches still occurred, manifesting themselves by Office 97 applications being unresponsive. Those occasional glitches seem now to have ceased.

Office 97 Sorted! The cause was that I had included the OSA.EXE and MSOFFICE.EXE processes in EMET. In spite of them not being directly involved with MBAE, removing them from EMET seems to have eliminated the problem. Experimental MBAE now protects my Windows XP Office 97 applications and with the additional protection bestowed by Experiental MBAE. Note that the relevant system lacks hardware support for DEP so DEP enforcement by Experimental MBAE causes Office 97 no problems. My experience is that MBAE tolerates the following mitigations in EMET, namely DEP, SEHOP, NullPage, HeapSpray and BottomUpASLR but NOT EAF. For those systems which support it, the MandatoryASLR mitigation is also tolerated by MBAE. All the ROP mitigations are NoNos regardless of whether the operating system is XP or later except for Opera 12.17 64bit which runs quite happily protected by MBAE with ALL EMET mitigations in effect on Windows 7 64bit.

There is a significant difference between Opera 12.17 32bit and the 64bit version. The 64bit version uses a seperate plugin wrapper executable and the 32bit version does not. There was one in the 32bit version but it was dropped after Opera 12.02. I notice that I can enable all the EMET 5.1 mitigations for Opera 64bit including all the ROP mitigations but this cannot be done with the 32bit version which takes care of plugins in the browser executables.

Quick retraction: Opera 64bit terminates, Opera 32bit will not unless assisted by Task Manager. Wish I could edit my posts.

Opera 12.17 64bit version installed. Mysteriously the 32bit Opera now terminates. Hmmmmm,

Another afterthought: Office 97 runs code in the data segment and also the dynamic application heap. If DEP is enforced, I expect that Office 97 will down tools. I haven't actually tested this hypothesis because all my hardware is prehistoric (no Nx bits) except for my Win 7 system which is a mere eight years old.

I should add that Office 97 works fine with Experimental MBAE 1.05 when used normally. OnlineArmor has a very useful feature for XP users which enables applications to be selectively to run as default in user mode, assuming that OnlineArmor is running. Alas OnlineArmor will not run without problems in company with Agnitum Outpost Security Suite Pro otherwise I wouldn't be writing this. Ain't it complicated to get these security enhancers to behave properly with each other.

Excel,OFFICE 97 I have figured out my problem with Office 97 but there is no ready ideal solution. Using Windows XP, it is not simply practical to run in user mode so a couple of years ago I contrived a way to mitigate the hazards of running in admin mode. I use DropMyRights to run Word, Excel, etc., and also to run Directory Opus 6.2.15 (dopus.exe), a very nice alternative to Windows Explorer, which allows me to open MS Office documents in user mode. It’s not perfect but it works. This arrangement worked with MBAE 1.04.1.1012 (and previous) but not with Experimental MBAE 1.05.3.1011. I accept this and have deactivated the three MS Office shields in MBAE. This permits me to enable all mitigations in EMET 4.1u1 for winword.exe, etc., in some compensation for doing without MBAE MS Office protections. I may work out a solution in due course but I’m not holding my breath. I am letting you know this in order to spare you further distraction of trying to figure out why MBAE should have a problem with MS Office 97. OPERA 12.17 I have not yet discovered the circumstance causing the puzzle of Opera 12.17 (32bit) with Windows 7 (64bit). I have a 64bit installation executable for Opera 12.17 and believe that both 32 and 64 bit versions can be installed at the same time. Pity there seems to be no way of transferring my customisations for the 32bit version to the 64bit one.

From using the experimental MBAE, I believe that the end of the road has been reached for Office 97 (NOT the Diamond Jubilee Edition of 1897) and Opera 12. Any future protection will need to be achieved through EMET I think. One particular problem for Office 97 would be with hardware supporting DEP and I had hoped that my dear old non-Nx 32bit Athlon XP 3000+ which powers my XP system would be immune, being incapable of giving effect to enforced DEP. Sadly, other mysterious circumstances have put a spoke in the Office 97 wheel, hardware DEP or not. I would be pleased to hear that others might have had more success than I with Opera 12 which process seems unable to terminate when running on Windows 7 64bit.. This is the 32bit version so maybe the 64bit version will prove more amenable to MBAE 1.05.3.1011. It's probably not fair to expect compatibility between MBAE and obsolete but still really useful software and Opera 12 is such a deuce of a nice web browser. Shame that Opera went Chrome.

MBAE 1.05.3.1010 works fine with Win7(64bit), Google Chrome, Trusteer Rapport, Avast 10.0.2208 and OnlineArmor. Are you using Avast 10 and if so have you disabled HTTPS scanning in Web Shield?

I have experienced the same with Windows 7 64-bit with Java 7u67 32-bit. I no longer have access to the computer. I had installed Anti-Exploit free 1.04.1.1012 for a friend.

I omitted to say that I infer from my observations with MBAE Premium that if the Adobe Reader shield is active then that shield takes precedence over the MBAE browser profile when the Adobe Reader plugin is in use.

Thank you Pedro. I take it that the browser protection profile doesn't care if the plugin used to process the PDF is from Adobe Reader, Sumatra, Foxit or Google Chrome's PDF processor..

The proposition is that I am using MBAE Premium with the Adobe Reader shield DEACTIVATED and Adobe Reader XI is mitigated By EMET 4 (or later) with all mitigations (plus Deep Hooks, Banned Functions and Anti Detours) enabled. I open a PDF document in my web browser (say Opera 12.17 or Google Chrome) and Adobe Reader (in protected mode as I ALWAYS configure it) does not crash. Yet if I were to ACTIVATE the Adobe Reader shield in MBAE Premium then opening PDF documents in either a web browser (using Adobe Reader plugin) or using the Adobe Reader XI application would both crash Adobe Reader when it is running in protected mode. This suggests that a different protection is provided by MBAE when Adobe Reader shield is enabled in MBAE Premium compared to when it is not. I would have presented this follow-up question much earlier but it has taken some days for my feeble mind to compose it precisely and unambiguously.

Thanks Pedro.

I assume that MBAE free will not protect the standalone Adobe Reader but does it mitigate attacks on Adobe Reader in its the browser plugin incarnation?

Does MBAE Premium protect Adobe Reader 11.0.08 (previous version) from the attacks described as vulnerabilities that could lead to remote code execution and a sandbox bypass vulnerability plus another security hole that could potentially crash systems? Today's Adobe Reader 11.0.09 update patches Reader to eliminate these vulnerabilities. Adobe has 'helpfully' disabled the Reader update mechanisms on Windows XP (Help menu update check does not work and I believe that the AdobeArm automatic update also does not function). Thus I need to visit the home of an XP system that I assist (support is too strong a word) to run the downloaded .msp installation executable. Hence this enquiry.

This problem also applies to Comodo Dragon.

Is the counter an integer? I assume that it is a simple counter not used to index memory and it would be theoretically possible to wrap round to a negative if the operating system is not restarted every decade or so.

Thank you Pedro. That is the confirmation I wanted to read.

Does MBAE guard against the effects of malicious Javascript or VBScript code? Does it also detect and prevent the effects of drive-by downloads?

There is now a decrypt rescue service which might be of incidental interest. See http://grahamcluley.com/2014/08/fix-cryptolocker-files-free/

The 'free' form of Experimental version 1.04.1.1006 will receive an activation code and, lo and behold, it becomes 'premium'.

Outlook Express, Mozilla Thunderbird - both defined as browser Comodo Dragon A copy of the Comodo Dragon .exe file is named chrome.exe. I do this because Agnitum Outpost Firewall recognises chrome.exe as a protected application so on systems with Outpost Firewall, I run Comodo Dragon thus.

Thank you Pedro. MBAE is obviously therefore the antidote for unpunctual Adobe Flash updates.