I Can See Underbelly Of The Net With SANDBOXIE!!

Neither your AV, HIPS or FW.

XSS events without involvement of the local filesystem

 

Thanks Lucas,

Well, this is again something that requires a script to be executed within the web browser, it also requires the web browser to have auto password input enabled.

Using Firefox with NoScript would have blocked the event, as the script would have to be authorized prior to it being able to perform the task. this would have allowed the user to easily identify the spoof. Since this is via a spoof site, there are multiple method to defend against such...

This is another reason I recommend on my site that users should use the following:

1- Firefox + Noscript ( Would have blocked the script from executing in the first place)
2 - Linkscanner Pro ( It would have pre scanned the site for XSS and weird scripts and issues a warning if not outright blocked it)
3 - McAfee Site Advisor (Would have issued a Red Flag as others might have already been hit and may have reported it already - or blocked it as well)
4 - Run the whole thing inside a sandbox

As these effectively combat those types of infections, one sort works as a failsafe for the other. I know it sounds rash, but it is effective nonetheless.

Sometimes when I visit sites and I'm unsure, I'll even open it in firebug to read the script first just to be safe... ( You can still read blocked scripts)
for those interested in learning about scripts: Http://www.getfirebug.com

 

If Firefox and Noscript does its job properly and I think it does then as far as XSS is concerned does Sandboxie add anything ?

 

Well, I think the issue, is that your web browser is not the only applications you could run inside of a sandbox... I run winamp and some other tools. It is an awesome system against executables one downloads into the system...

I think though that the use of a sandbox alone is over rated given that there are many reasons why users would want to download and try applications on their computers... Its necessary for most to have a good av besides the tools I stated above as a result, besides the obvious risks associated with web browsers and their latent vulnerabilities... Even as they run within a sandbox.

 

Not really. Crossing the boundaries of domain restrictions means that a site performing XSS can grab info from the cookies (example, the login credentials of forums or something more serious) without any auto-filler involved.
As you said, NoScript is the best (and only?) protection against these threats. A tight firewall ruleset helps against some types of XSS and common sense also helps (don't click on random links even if they are from reputable sites)

In theory no. But you can make a mistake with NoScript and if remote code execution takes place, SBIE (or another sandbox) will contain the dropped files inside the container.

 

Personally I believe, some body can be quiet safe even with a single security application. All that matters is how u use ur PC. I don,t mind if some one feels him safe only with a single appication.

As lucas posted. XSS can steal data without executing any thing (just by browser JS).

It,s not long ago when there was a POC posted by some memeber on ZoneAlarm site.

 

Yes but a script must be processed by the browser to extract the data and use it... that event must be interpreted by the browser, and as such easily blocked by Noscript. Given that the user does not authorize the script he is fine.

Good advice!
Actually Linkscanner Pro does offer XSS protections, and it has a black list as do SiteAdvisor, they will protect you but with a bit of laag.

Just a passing remark, I had my first SQL Injection attack on my web site 2 days ago... Easily blocked, and now run rabbit run!
The point is that they are scanning for any vulnerabilities they can exploit...

 

Correct. If it doesn't execute (browser scripts, system scripts, macros, binaries/executables) it can't do any harm.

The database of SiteAdvisor is pretty much obsolete (excepting the obvious crack/warez/porn sites). It's way behind the speed of the movements of the malware crocks.
I also doubt that Link Scanner will detect a simple redirect script on a trusted site if it doesn't involve remote code execution.
XSS open a whole new kind of threats, web-based threats (and multi-platform) which can be made very specific and target small subsets of populations. Most users still think of the threat of remote code execution (i.e. dropping/launching a new, unauthorized executable) when the next generation of threats is already present.

 

Hope that your hosting provider has a speedy patch policy and a stringent password policy at least.

 

Executed no... but Interpreted yes.
See no matter what the script is... It's a text file or a simple block of embedded text, we can refer to it as a script... the browser must interpret that text to understand what it is...

Each script must identify themselves to the browser for the browser to know what engine to feed it too, ie Java, VB, Ajax or flash and so on... This is where NoScript intercept the scripts, right at it's opening statement...

It's a wonderfully simple way to provide protection... isn't it? Nip it right in the bud...

 

A run tool that records all the injection attempts, and documents them as well as block them...

These bozos are gonna be famous!

 

I have been wondering a bit about the laag behind Linkscanner Pro in detection rate... I find it misses roughly 40 % of the infected/Bad sites I visit.
Still it catches quite a few considering the nature of what it does...

 

Yup, Link Scanner is way ahead of the competition (simple databases like SiteAdvisor) but I don't know how many exploit sites it miss. I think that LS is a good tool for those who don't use NoScript or surf the web wildly.

 

Hello Pete,
I guess you must be using virusttotal.com or jyoti to scan executables you need extracted from the sandbox?

 

So very true. How can you tell if something contains a virus when you recovery it from the Sandbox. I scan all files before opening or executing.

 

I am using only CFP n GW.

I have to stop myself from adding TF to this set up. I am happy to cut it down to two only.

 

Downloading WindowBlinds skins and wallpapers and Nvidia drivers at a rate of 5 per day is not "tons of stuff", it's milligrams. And it is not "The underbelly of the web" by any measure. If you want to scan it, then fine. But you are tearing up an entire program based on some perceived problem that has about as much likelihood of happening as hitting the lotto at exactly 2:00PM on Tuesday. I have downloaded many programs from trusted sites and vendors and never once had a problem. Am I saying to discard those things? No, of course not. But around here it is the Holy Grail - "OMG, how would you know?” How would you know even after scanning? Let me know when scanning an executable from a known trusted site or vendor site turns up a virus alert. And I will show you a false positive. Besides all of that, most 'normal' users are up to speed on the programs they enjoy and don't actually install 'tons of stuff' everyday.

It's web browsing and email attachments and zero day exploits where the problems are. And coincidentally are the primary strengths of Sandboxie.

 

Read my other posts. I use web based email which is safer then pop3. I also surf everything and download mp3's and torretns. Not one infection. I did download a Windowblinds skin about 6 years ago or so and it contained a virus. I got it from skinbase.org and not Wincustomize. I emailed skinbase and the next day they were flooded with complaints so they took the file down. Ever since I scan everyting no matter what it is. I was also using Mcafee back then and not NOD32 like I am now.

 

Not anymore. IE7 is, even out of the box, immune to many arbitrary code execution exploits. Even with a copy of IE6 + OE6 gone unpatched for six years, I have to do real work finding an exploit that works.

The shift has gone into social engineering, because exploits aren't working with much reliability anymore, even on systems with minimal security patches. Ecards, porn video codecs and rogue antispyware apps are all the rage these days.

 

Agreed! I don't get into that as much for fear of the Fx thought police. I, and every company that I deal with, use IE. And every computer person on staff at those company's recco IE. I actually do not trust Microsoft as far as I could throw them and would probably use Opera, all things being equal. But with the addition of Sandboxie, I see no compelling reason to change.

 

The bad guys are releasing poor code, no doubt
It seems that the bad guys put too much work on the payload (surviving, snooping, networking, etc) than on coding good exploits. Then, they rely on exploit toolkits for the distribution of their masterpieces.

And these are good news to security-savvy people, because avoiding the rogue codecs, the fake ads and the phony links/attachments protects you against a good amount of malware.

 

There's always idiots and amateurs in every field. For the really dumb ones, you have to laugh because otherwise you'll cry. For instance, I once saw a Themida-repacked Hupigon variant where the user had apparently used a trial version of the packer, and the Themida splash screen reminding the user to buy the full version was prominently displayed when I tried to execute the trojan.

There's still good exploit code out there. Some VERY good ones that I have to spend weekends puzzling over how to decrypt. And even then, most of the poorly-obfuscated ones DO work when they're put against a vulnerable system (trust me, anyone with half a brain cell tests their stuff before releasing it), it's just that vulnerable systems are getting more and more rare.

 

LOL

Well, if the default ICF of XP SP2 meant the end of network worms, widespread adoption of automatic updates could spell the end of uber easy and high profit exploits.