What would you run with WSA Essentials and Sandboxie?

[m00nbl00d]

Quote:

Originally Posted by Page42

One month ago a student used a cross-site scripting exploit and "bad history navigation" (whatever that is) to escape Chrome's sandbox. You may recall, this was at Pwn2Own. Another vulnerability was also found by a security firm that bypassed Windows-based safe guards such as DEP and ASLR. They were then "able to exploit a vulnerability found in the default installation of Chrome which also allowed them to escape Chrome's sandbox". Noted here.

I use Chrome browser, and I'm pleased that they are patching vulnerabilities, but I wouldn't let Sandboxie go.

You do know that I'm a Sandboxie user. I use it less and less, though. But, anyway... Considering that Google Chrome is used by millions of users, is actually a pretty good view, isn't it? And, any bypass/break happening, is actually a chance for Google to improve its already great sandbox.

On the other hand, I've seen, including in this same forum, many make the claim that they tests lots of malware samples against Sandboxie, and none managed to break out.
Well, that's all peachy... but, what's the real % of malware samples that were actually developed, having as their target Sandboxie? I'd say 0% of them.

And, as Kees1958 mentioned, Sandboxie has been bypassed in the past...

Anyway, as Kees1958, I do hope that Sandboxie gets the needed change.

[bo elam]

Quote:

Originally Posted by justenough

What do you think would be good to run alongside those two programs?

Nothing.

Bo

[justenough]

Quote:

Originally Posted by Kees1958

I hope Tzuk changes SBIE to not remove the low rights token. After all he added Drop RIghts after a while back in XP days (maybe my rants against running weak threat gate applications with high level/admin rights have contributed to this). Just tell Tzuk some idiot is criticizing his beautiful application because removing the low rights sandbox of IE and Chrome is really making no sense at all.

About this paragraph, tzuk said this at the Sandboxie forum: "The statement you quote is no longer true. You can use Process Explorer to see that the security context of Chrome processes is the same whether running inside or outside the sandbox."

So I am back where I was when I started the thread, using Sandboxie, WSA-E and Chrome, with Kees1958 suggestions for setting up WSA-E. This might be my favorite security setup ever. What would make it better? Bo gets right to the point: "Nothing."

[chris1341]

Quote:

Originally Posted by Tzuk

The statement you quote is no longer true. You can use Process Explorer to see that the security context of Chrome processes is the same whether running inside or outside the sandbox.

Interested to know what that means. Does it mean SBIE now recognises and replicates Chrome's low integrity flag inside the sandbox or not? Does security context mean the same thing? I don't see it in Process Explorer but realise that can sometimes be misleading.

Regardless I'll continue to sandbox browsers, including Chromium based variants. Properly configured SBIE makes up for any loss associated with diluting the Chrome sandbox through raising integrity levels IMO.

Quote:

Originally Posted by justenough

What would make it better? Bo gets right to the point: "Nothing."

Exactly!

NB - reading SSJ100's comments on the SBIE forum in the thread you reference where he rants about 'self-proclaimed experts' made me laugh. This from a guy who has his own forum giving out advice! - 'Oh wad some power the giftie gie us, To see oursel's as others see us!'

[m00nbl00d]

Quote:

Originally Posted by justenough

About this paragraph, tzuk said this at the Sandboxie forum: "The statement you quote is no longer true. You can use Process Explorer to see that the security context of Chrome processes is the same whether running inside or outside the sandbox."

[...]

That seems to be the case! I downloaded the most recent stable version, and then ran it in a sandbox, and according to Process Explorer, the renderer processes do run at low integrity level.

Adobe Reader X, also seems to run at low integrity level, as well. I monitored it sometiem ago, and according to Process Explorer, sometimes it would get a low, and other times it would get a medium. But, it seems to always be at low integrity level now.

Can anyone test Internet Explorer 9?

-edit-

So, at least in what comes to Google Chrome and Adobe Reader X (I don't know about Internet Explorer), we have two sandboxes. But, one problem still remains - Sandboxie lacks ASLR support, and it does inject a dll into chrome.exe, to run it in the sandbox. Hopefully, this will happen too - supporting ASLR.

-edit 2-

Can anyone give it a run with Firefox and this version of Adobe Flash Player -http://labs.adobe.com/downloads/flashplayer11-3.html (This version runs in a sandbox. I'm wondering if Sandboxie breaks it? If it does, this means that Sandboxie doesn't truly mirror integrity levels into the sandboxes, it just works with those of Google Chrome and Adobe Reader X (perhaps also Internet Explorer 9))

[m00nbl00d]

I did a small test. This is actually something I noticed happening last year. I got my Downloads folder @ a low integrity level. Any file I have there inherits the low integrity level.

I downloaded a zip file, and saved it there. I checked the integrity level, and of course it inherited the low integrity level.
Then, I opened the zip file with 7-zip, which is being forced to run in a sandbox. I extracted the contents of the zip file, which is an *.exe and *.txt file, and the files have now a default medium integrity level.

So, Sandboxie still doesn't mirror integrity levels into the sandboxes. It just works with Adobe Reader X and Google Chrome's sandboxes (maybe also with IE9's Protected Mode?), but that's it. Other than that, it still effectively breaks Windows Vista and Windows 7 MIC.

[Kees1958]

Yeah, congratulations on Tzuk and Sandboxie. IMO this raised the bar for malware to come through (dealing with low rights, SBIE and UAC)

compliments

[Page42]

Quote:

Originally Posted by justenough

What would make it better? Bo gets right to the point: "Nothing."

Bo knows.

[m00nbl00d]

Quote:

Originally Posted by Kees1958

Yeah, congratulations on Tzuk and Sandboxie. IMO this raised the bar for malware to come through (dealing with low rights, SBIE and UAC)

compliments

Well, he still needs to support ASLR, and to actually globally mirror the integrity levels in the sandboxes. But yes, this is very welcome.

[m00nbl00d]

Apparently, Adobe Reader X Protected Mode no longer works in Sandboxie. Both the latest stable version, and the most recent beta version.

I did recently install the latest Adobe Reader X version.

-edit-

I also tested in a Default sandbox. Same result.