In what part of real life do you actually see exploits in action? I've yet to see those "facts" being proven as such. Maybe it's because I don't have time to read every single little detail. Oh so you mean exploiting third-party plugins? Flash is indeed the Achilles heel of Chrome as much as they try to protect it. But I don't think any plugin not sandboxed by default should count. Then again, I haven't seen hard evidence SBIE preventing such exploits of Chrome's built-in plugins. Please enlighten us with proven test cases if they exist. Automated exploits may not be targeting security products yet, especially something as niche as SBIE, but they're still quite a ways apart from up-to-date real life for most. When you're targeted though, "attack surface" becomes very much real.
Haha. I'd say too theoretical to even touch the realm of possibility. In "another world" though, there would be a lot less redundant questions and points being made. I personally would've stayed out of it and continued editing my first post (after asking you to modify it of course ) Still waiting for Google to fix "Windows 8 mode" on Windows 10, if it remains compatible with HMP.A.
Besides the information provided by members is so interesting and impressive, I believe the title of this thread should be modified to this: Just "Chrome sandboxed" doesn't encompass the real intention of this thread's information. This title suggests a discussion of Chrome's built-in sandbox solely.
Yes correct, I was not talking about targeted attacks, but do you really think that those kind of skilled hackers will only be able to bypass Chrome if SBIE is providing "additional pathways"?
It isn't about presenting evidence, it's about understanding how exploits work. The goal is to execute malware with high privileges. That's why Chrome, IE and Edge have implemented internal sandboxes, hackers will now have to look for multiple vulnerabilities to get malware running. So that alone will make it hard to own these browsers. But if they do get hacked, it's still game over. SBIE isn't designed to block these exploits, but depending on what type of exploits are used, it will at least be able to contain the malware. It isn't any different then protecting a browser like Firefox which doesn't have an internal sandbox. If you don't see how SBIE is able to defend against browser exploits, then why use it in the first place.
@Mister X: Although the main point, that title will limit other side discussions like that one we had with AppContainer. @Rasheed187: Not the only way in most cases, but there is a possibility. Especially if you are using vanilla Windows/Chrome/SBIE. Containing the payload huh... Hard to wrap my head around that, but I see your point.
Here's some info about the latest hacks of IE, Firefox and Chrome. If used in real life, it's hard to say if SBIE would be able to contain the malware, because kernel mode exploits were also used, if I understood correctly. But keep in mind, browser exploits don't automatically bypass third party sandboxes. http://www.zdnet.com/article/pwn2own-2015-the-year-every-browser-went-down/ http://www.zdnet.com/article/crash-bang-boom-down-go-all-the-major-browsers-at-pwn2own/ http://www.pcmag.com/article2/0,2817,2478524,00.asp
Well then you guys all are spoiling the thread with off-topics. I mean the title is about Sandboxie run over Chrome, that's it. I'm just trying to find an appropriate title to this thread which encompass your discussion. Anyone else can help with this. The current title doesn't give any idea of what is being discussed in here.
The title doesn't say Sandboxie. You're the one trying to make it about only SBIE and Chrome. The current title is quite flexible and plenty good enough. And how is any of what I listed off-topic in this subforum?
@J_L From post 1: So it's not me the only one. About the title for me is neither flexible nor good enough. But I'll stop here right now because I see underlying intentions/feelings/emotions in your comments which I don't like at all. Nice weekend.
The OP has rarely ever voiced his opinion, much less against anything but SBIE and Chrome. Please don't use such straw man arguments. You cannot get accurate readings of feelings and such just by plain text. I had the unfortunate event of such an individual accusing me of using multiple accounts to support myself (outside of Wilders), which is plain nonsense. Lastly, if what I said is off-topic, might as well forget comparing other techniques like smart blocker and firejail already posted.
i think the gist of this thread is that chromes sandboxing ability is irrelevant and immaterial if chrome is running in sandboxie..Basically any browser which is capable of being sandboxed will be protected with or without sandboxing.
When people stop discussing things fairly civilly (well being blunt is common in this forum) and stop focusing on the technical details.
In other words you meant to say that Chrome with its own built-in sandbox does not need Sandboxie's protection because running Chrome and its own built-in sandbox inside and under Sandboxie will only decrease the level of Chrome's sandbox protection (because running an sandbox inside another sandbox decreases protection level similarly like running and antivirus inside another antivirus, plus that compromising job objects and integrity levels mentioned by Safeguy)?
The definite answer is pretty much here answered by Safeguy: https://www.wilderssecurity.com/threads/chrome-sandboxed.377440/page-14#post-2511427
Actually, Safeguy actually proved what he said here in this post and ended the entire debate: https://www.wilderssecurity.com/threads/chrome-sandboxed.377440/page-14#post-2511427 If you don't believe you can simply check out those links where users say that Sandboxie does indeed compromise job objects which again means that Sandboxie indeed does mess and decreases own Chrome's built-in sandbox security/protection.
Actually from what I interpret, he meant that it doesn't matter if you sandbox Chrome (to the extent that the built-in sandboxing is "irrelevant and immaterial"); and all browsers will be protected by SBIE built-in sandbox or not. In general and currently ITW that is the case, but only if you actually need SBIE's protection (of which I already listed virtually all the reasons for).
I know how you feel, I think there's not much left to be said, it would be like beating a dead horse. Actually, we should have stopped a few pages back. But I think most of us (including me) continued to post because we felt that we were misunderstood. I was also trying to get to the bottom of this "added attack surface" thing, and if it makes sense to worry about it. I don't know anything about Linux, so I haven't got a clue. But to me it was interesting to see is that getting code execution with at least medium integrity (outside browser's sandbox) was considered to be a successful hack. There's a big chance that SBIE would have been able to contain this payload.
Well yes, that was indeed my main point. At the end of the day, it's SBIE which should keep the system safe. But most of the discussion was mainly about which "risk assessment" makes more sense. Actually, I'm hoping that he and perhaps others like Hungry Man will make a come back, to answer my last questions, so that we can all learn from this thread. Like I said, it's highly unlikely that hackers will write exploits that will only work when Chrome and SBIE are combined. It wouldn't make a lot of sense. https://www.wilderssecurity.com/threads/chrome-sandboxed.377440/page-15#post-2512028 https://www.wilderssecurity.com/threads/chrome-sandboxed.377440/page-15#post-2512029
