Is Google Chrome truly that vulnerable?

Yes and No

Broker runs in LOW intergrity rights where as Chrome broker runs in MEDIUM IL [YES], only SBIE itself runs in HIGH IL so when SBIE sandbox and OS-container is broken attacker runs with HIGH (admin level) rights [NO]

My opinion:
SBIE + Chrome : I would not use SBIE, but use it when you feel safer
SBIE + IE: for dodgy browsing might be a good practise (ad hoc usage)
SBIE + FF: smart idea since FF lacks a low rights container/sandbox (real time usage)

 

In theory it could interfere with Chrome's inbuilt sandbox. Successful exploit that would target SBIE would probably allow escape from Chrome's sandbox also. This is of course in theory as I don't remember any SBIE or Chrome sandbox exploits being used ITW.

 

Of drive-by attacks against Chrome, I'd guess the Java plugin would be your biggest worry, statistically speaking. That seems to be the way the system was infected in blog post Chrome dances with wolves.

 

Once again, it potentially increases attack surface. But I feel the discussion is going around in circles now.

 

I can think of a few reasons why it is safer to run Chrome under Sandboxie. For example, Chrome users who open an infected webmail attachment get infected if their antivirus don't do nothing. But if they run Chrome under Sandboxie, the infection its gone when the sandbox gets deleted. Another one. Using third party Plugins like Java or Siverlight in Chrome its not safe if you get hit by an infection. But if you are running Chrome under SBIE, then again, the infection is contained and gone when the sandbox is deleted.

Bo

 

interesting until it becomes an advertisement for Bromium's vSentry, and it's especially cheesy when they end it with "Perhaps, Chrome should dance with Bromium."

 

I must have missed this info, and yes I agree, too many questions and too many answers, I can not keep up with it anymore. So an "end conclusion" would be nice.

Yes I agree, I wonder what is so special about this exploit, that it manages to "bypass AV, sandboxes and firewalls". Apparently it can bypass the sandbox in Chrome, but can it also bypass apps like SBIE, HIPS and specialized anti-exploit tools? That would be nice to know.

 

Founders have worked with Zensource and Citrix and have raised $ 40 Million to realise hardware based hypervisor security. Agree that it gets annoying, but that is contained in their name http://www.vanderkrogt.net/elements/element.php?sym=Br

 

Maybe nothing special. Post #43 in this 2011 thread demonstrated Java malware bypassing Chrome's sandbox. This shouldn't be surprising, given that Sandbox FAQ states:

(My bolding.)

 

Hence my reasoning for using PPAPI plugins only and disabling any NPAPI plugins. NPAPI deprecation is getting close to final stages now anyways. The PPAPI plugins remain fully sandboxed and follow proper specifications. And with Native Client being PPAPI as well it should be interesting to see what comes of that, with news lately of running Android apps in Chrome and so on. That should test the sandbox security pretty good though, surely.

 

NPAPI is already depreciated on Chrome, at least some versions on Linux.

 

I have one quick question about Google Chrome, let's suppose that plugins, java and similar is all sandboxed and let's suppose that Chrome uses seccomp (on both Windows and Linux-yes I know, Chrome uses seccomp on Linux) abilities on full level so that it completely isolates its code not just from the system but also from the web-how tough and secure would Google Chrome be?
When you have weakpoints like plugins, Java and similar (which are unsandboxed, I think), than of course, it seems reasonable to use sandboxed Google Chrome by Sandboxie4, under Sandboxie's supervision.
But if Google Chrome does not have any of those plugin and similar vulnerabilities that are outside of Chrome's sandboxing protection and control, how secure it would be?
Would than Sandboxie4 be necessary, or Google Chrome would be simply too secure for even compared to Sandboxie4?
Big thanks in advance.

 

Just wondering: If that's the case with plugins, than definitely Chrome needs SBIE to protect against chrome's plugins' exploits/vulnerabilities.
But let's suppose how secure would Chrome be without plugins and if Chrome's renderer processes are completely isolated from both the system and also completely isolated from the web-how secure than Google Chrome would be?

 

There is a serious flaw in Bromium labs testing regarding Sandboxie, what I have just looked into that pdf reader where Bromium labs manages to bypass Sandboxie, but it was just yesterday when I had enough time to check everything about how was Sandboxie tested-basically Bromium labs used cmd.exe to hack and break out of Sandboxie, but here is the fact, this was Sandboxie on default level plus, it was specifically sandboxed cmd.exe inside Sandboxie, under Sandboxie's control/supervision that it was allowed to start/run and have access to internet which enables the Sandboxie bypass, it was not cmd.exe outside Sandboxie4 that was able to bypass SBIE.

If Bromium labs used Sandboxie's start/run restrictions, cmd.exe would not be able to access the Internet and would not be able start/run in the first place, no "cmd.exe" execution/start/run,=no Sandboxie bypass-end of story.

And what about Duqu malware, was it really possible back than to block this malware by simply restricting/blocking (at least partially) t2embed.dll?
If this is than at least Sandboxie4 would be able to protect against Duqu malware at least 50%, since it has to protect/block/prevent win32k.sys vulnerability, which is not possible even with tightly configured SBIE-any explanations?

 

According to my own benchmark, I beat George Clooney with flying colours, according to my wife's standards I fail miserably

 

I truly don't understand what was the point of this post...

 

I should have looked in the mirror like you have looked in the PDF to see what is wrong with my benchmark. That should also have explained that my own Clooney benchmark is as flawed as the Bromium test setup.

 

I still don't know what you meant, maybe sarcasm..., this still does not answer my doubts and questions about Bromium labs and sandboxes/Sandboxie4 testing using sandboxed cmd.exe.

 

Interesting, but I can not imagine that the testers did not think of this? Would be cool if you was right though.

EDIT: You probably do not need "cmd.exe" to perform malicious actions, if a process is already exploited, but I might be wrong.

 

Sorry no sarcasm intended towards you, I agree: Bromium should not have tinkered with SBIE settings to their advantage.

 

As posted, they raised 40 million dollar from venture capatalists. They are three years on the road now, so they are execeeding the time to market windows 'tio rico's' usually have in mind. They would normally gear up making noise 6 to 3 months prior to first product/service launch. When they are on track we could see more marketing magic happening the next two months.

In the mean time: everyone can sharpen its hacking skills in by following ligitemate Google coding tracks https://google-gruyere.appspot.com/

 

You should read this (see link 1), it was really a bit painful for Bromium.

Also, I think it was weird that they never released more info about the exploit in link number 2, I could not even post a comment on the article.

http://www.invincea.com/2014/05/tech-throwdown-micro-virtualization/
http://labs.bromium.com/2014/04/29/bypassing-endpoint-protections-bsides-london/