Is Google Chrome truly that vulnerable?

Discussion in 'other anti-malware software' started by CoolWebSearch, Jul 6, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    That is beyond ridiculous. Talk about working around platform limitations... Damn.

    Although, wouldn't the native API still be accessible (if largely nonfunctional)? Or does Windows somehow not work that way?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I do not know the details, I'm not as familiar with low level Windows internals in that area.
     
  3. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Right now I'm running the free MBAE, with Appguard in lockdown and Sandboxie sandboxing everything but Chrome - I find using Sandboxie on Chrome cumbersome and hope the other combo plus the fact that I have no plugins enabled though I enable PPAPI flash on demand for videos I want to watch. I use the PDF Now extension for pdf viewing not sure if thats worse than the built in or not security wise but its easier to search and do some other things so I'm keeping that.

    Appguard sure doesn't like Spotify and neither does EMET so I'm uninstalling that exe and just using the web version when I feel the need.
     
  4. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    What exactly did you mean by this, and on what exactly did you mean I truly apologize for not being technical to understand this...
    And why you both (Malwar and Hungry Man) disagree with TyRidian who wrote that it's better to have SBIE with Chrome than usie Chrome without SBIE, here is what he wrote:

    "Chrome Sandbox = Run's in a restricted environment, Prevents arbitrary code that may cause damage to the system, Helps prevent exploits from reading or writing any information from the system (Sounds perfect, but not always the case)

    Differences:
    While Sandboxie does the same, You can restrict the execution of processes that are associated with said Sandbox, as well as restrict access to any Internet Access that a process may ask for, etc.
    Basically with Chrome you get the built in Sandbox, with Chrome and Sandboxie, you not only get the Chrome built in Sandboxing features, But you end up getting more with Sandboxies extensive set of options, that can be tweaked and hardened to your liking.
    To me, the combo is far more superior than using just one solution
    Of course, this is my own personal opinion.
    Basically...
    Chrome for it's built in sandbox
    Coupled with..
    Sandboxie to further restrict to my needs (Which enables me to manually tweak and handle on what I see)
    I don't know, that is my take on it, I am sure some will disagree."

    I think these arguments are pretty strong. What do you both think, Hungry Man and Malwar, I think this is the last thing that comes to my mind to ask, because I forgot to ask this earlier in the thread.
    Big thanks to both, in advance.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    The vulnerability involves getting the operating system to deal with text. Chrome never lets that kind of text get to the operating system at all.

    Chrome team knows what type of text they can white/blacklist. But Sandboxie can never know these things, as it would have to know for any program someone ran in it, therefor it must allow this text.

    That is why Sandboxie is bypassable and Chrome is not with this attack.

    Outside of the broker, Chrome can already not run other processes. I do not know the details of Chrome's IP but I would imagine internet access is brokered on a rule basis.

    Sandboxie only adds the benefit of sandboxing the broker, which usually runs as the regular user at medium integrity.

    This is ok. In the event of a sandbox escape that works by attacking the broker it will help prevent that attack.

    Let me say that, outside of fun competitions, these attacks are not cost effective.

    In more recent competitions the best attacks have been the ones on the Windows kernel. You get into Chrome, you are in the Chrome sandbox, you exploit the kernel, you own the system.

    Now let's add Sandboxie to the equation.

    You get into Chrome, you are int he Chrome sandbox, you are in the Sandboxie sandbox, you exploit the kernel, you own the system.

    Not much different, right?

    So you don't protect yourself against the attacks most likely to happen, just potentially against not-very-cost-effective attacks.

    Beyond that...

    Chrome has a very finely tuned sandbox. As I mentioned before, they do all sorts of weird stuff like unload kernel32.dll, a library loaded by default into processes on Windows.

    Adding in new libraries, such as Sandboxie's, is adding in potential attack surface.

    I have personally executed (in competitions) attacks where all usable libraries were unloaded, but references to those libraries could be found, and therefor exploited - such attacks do not seem possible when you first look at them, but they are. Now, in my case the attack was quite different, but I think the principal is the same.

    Adding a new library, like Sandboxie's, to a process that is so finely tuned to only have certain libraries loaded, to me, is increasing attack surface and complexity.

    I am *not* saying there are attacks on sandboxie that will bypass the Chrome sandbox. I *am* saying it increases attack surface.

    Whether one feels that the cost of that attack surface is greater or less than the benefit of defending against a specific set of attacks is a decision for them to make.

    Personally, I just don't run Windows anyways outside of games. If I want a secure system I boot into linux, which is what I do 99% of the time anyways.
     
  6. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thank you Hungry Man, I truly appreciate you professional opinions and thank you for having nerves for answering me so many questions, but if I might what is your security st up right now?

    Windows Security gave me tips what to use on both XP SP3, and on my new Windows 8.1.

    But I'd like to know should I use Chrome windows xp-I don't think that's smart idea-I should try out with SBIE and AppGuard and on my windows 8.1 should Google Chrome and some tweakings be enough (even without router firewall protection)?
    This is why I'm asking you for your security set up-what is your apporach simple but secure (as much as it can be).

    I think I will use Google Chrome on windows 8.1, separately of SBIE (un-sandboxed) and possibly AppGuard, I still have to decide yet.

    I hope Malwar can answer the same.
    Big thank you in advance to both of you, Hungry Man and Malwar.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Nice explanation @Hungry Man. :thumb:
    Kernel exploits are "best" but they are not very common. Usually user is a weak link so IMO preventing them to run executable from net is important. Sandboxie can help in this case.
    I've setup few systems with locked down SBIE. I still didn't get a call from any of those users about any new infections. Before installing SBIE I had to clean those system every few months.
    I agree that for knowledgeable users, who don't run files from net SBIE is not that important if they run Chrome.
     
  8. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    So, it's all about the user, thank goodness, I'm not that stupid I have much more experience than before and I won't fall for anything like this.
    But it's good to know that SBIE's restrictions thanks to configuration will prevent/does prevent such situations, since everything needs to be run/execute first than after that kernel-level exploits do the rest.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    SBIE's restrictions can prevent accidental running from uneducated and insecure users. For kernel-level exploits nothing has to be run by users, exploit is run without user's knowledge or user's action.
     
  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    True, very true, I wonder what would be Hungry Man's response, since when it comes to executables Chrome will not stop/cannot stop anything/any file from getting executed, this is what SBiE does best, however Malwar wrote that he uses Chrome (without SBE's supervision, Malwar uses Chrome without SBIE for browsing) for browsing and uses SBIE4 only for downloading files/executables and all other stuff and that's it, he does not use SBIE for browsing, for that he uses only Chrome.
     
    Last edited: Aug 21, 2014
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'm always happy to answer questions if someone's willing to learn.

    I run Chrome with HTTPSwitchBoard and a Grsecurity patched kernel on elementary OS.

    elementaryOS is very easy to use. Patching the kernel is a bit more complex, I don't recommend it for everyone. If you want a low maintenance system that is relatively secure, what I described, without kernel patching, is good.

    Well, as I described in my last post, it ends up being a question of whether it's easier to attack the broker or kernel. On XP it is even easier to attack the kernel, as there are (I believe) already known kernel vulnerabilities that will never be patched.

    ox@hqsec

    Neither are attacks on the broker. We've never seen an attack on the broker used in the wild, only in competitions. We have seen kernel exploits used in the wild.

    Sandboxie can help for social engineering, but you don't need Chrome in a sandbox for that, you can have your Downloads folder as a forced folder.

    I only see two situations here:

    1) You run a file, and it executes, and exploits the kernel. Sandboxie stops this if you were running the file by mistake. If you meant to run the file, naturally you'll just tell Sandboxie to allow execution.

    2) You don't run the file, the attacker has got remote code execution in your browser process, the renderer probably, and now it exploits the kernel. Sandboxie does not stop this.

    I think it would make more sense to just have a policy where if you download a file you test it out in sandboxie first.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    This is where I feel browser scripting control can have tremendous benefits to mitigate this threat

    Excellent thread! Good, to-the-point questions from coolweb and excellent feedback from Hungry Man :thumb: Good to see you back posting, HM.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I´m a bit surprised that you´re so skeptical about it. Isn´t it true that tools like MBAE and HMPA work about the same as EMET? So why would you be skeptical about other anti-exploit tools? :)
     
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thank you again, HM. But if you don't mind what is the definition of the broker, I mean I do know on what exactly do you mean, but I'm not sure how would I explain to someone this.

    Also, you said this:
    "Sandboxie can help for social engineering, but you don't need Chrome in a sandbox for that, you can have your Downloads folder as a forced folder."

    I understand now, basically when it comes to social engineering, Chrome is more than enough and none needs SBIE, but if you want to download and test something/some file, the best to do is to have Downloads folder as a forced folder/run sandboxed under SBIE's supervision, but on the other hand, but again like you said:
    "1) You run a file, and it executes, and exploits the kernel. Sandboxie stops this if you were running the file by mistake. If you meant to run the file, naturally you'll just tell Sandboxie to allow execution.

    2) You don't run the file, the attacker has got remote code execution in your browser process, the renderer probably, and now it exploits the kernel. Sandboxie does not stop this.

    I think it would make more sense to just have a policy where if you download a file you test it out in sandboxie first."

    But this also means that if I run file, that file could be malicious and do all kinds of havoc on the computer.

    I think these 3 sentences, so far, settle all of my questions and all of my doubts.
    Maybe I should use in Chrome something for browser scripting control, which are excellent against kernel-level exploits, what Watt said, I'm thinking that he meant exactly on HTTP switchboard.
    If I have some other newer questions, I will ask them, I'm just hoping this thread will stay opened.

    I just got it, there is one question that tortures me: I remember when Bo Elam answered about how his friends got infected even though they were using Google Chrome: He responded me this:

    "Let me put it to you this way:

    I dont know of anyone using Sandboxie that is getting infected.

    On the other hand, when I go to visit friends, many times I see infections in their computer despite using Chrome.

    Bottom line. There is always a chance that something can break the sandbox but the chances are so little that I just don't think about it at all. After more than 5 years using SBIE and nothing breaking out of the sandbox, Sandboxie has nothing to prove to me.

    Personally, I would be scared to use Chrome without SBIE but that's just me.

    It is likely that they get infected when they allow something to install. Even though when I ask, What the hell did you install?, they always say, "I didn't install anything at all".

    By the way, I am no expert on Chrome at all. Like I said in another reply here, I have never installed Chrome or anything like Chrome in my real system. I have installed sandboxed, Chromium, Canary and Dragon but never in my real system."

    So what do you think about this, HM?
    That's all for now, and again big thank you for all your time, patience and nerves.
     
  15. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I agree, MBAE and HMPA are at least as good as EMET in their job.
     
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    If you don't mind, Watt, what do you exactly use for your browser scripting control for Google Chrome?
    Thanks in advance.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    HTTP switchboard.
     
  18. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @Rasheed187, @CoolWebSearch: all I have to go on with third party anti-exploit tools is statistical data from tests, and meanwhile as I said I don't know the mechanisms at all. It's not like HIPS or such where what it does is obvious.

    Edit: to be fair I have similar misgivings about GrSecurity to an extent - it seems far too good to be true, magically making unsafe code crash at runtime instead of silently failing, etc. But GrSec is fully open source and subject to a ton of external scrutiny. Commercial anti-exploit software has no such scrutiny (as far as its users know anyway). It's just a magic black box.

    I'm not saying it doesn't work, but I wouldn't be surprised if it had unspoken caveats.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes but my point is, that you do seem to understand how EMET works, that automatically means that there should be no reason to be skeptical about tools like MBAE and HMPA. As far as I know, they inject code into monitored apps, and are checking for suspicious behavior in-memory, trying to disrupt exploit code. What exactly don´t you understand about this? :)
     
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    EMET works (for the most part) by leveraging existing, built-in Windows kernel features. MBAE et al claim to be doing their own thing which can complement EMET, and use their own drivers. Other than that I have no idea. "Checking for suspicious behavior in memory" and "trying to disrupt exploit code" are just descriptions of what it's supposed to do, not mechanisms for doing so. In practice it is really nontrivial to differentiate between legitimate code and injected shellcode.
     
  21. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    I would not use sandboxie with Chrome because it could make chromes sandbox weaker. I only use windows 7 with and a lua+uac(max) +Chrome+windows 7 firewall blocking all inbound and only allow chrome outbound and only allow svchost.exe to connect when I want to update windows. I will get a Chromebook soon and when I do I will use it as my main computer and just use windows strictly for gaming I will disable all the services and everything I do not need include internet explorer and I will not have a browser no java or flash or anything that I do not need for gaming.
     
    Last edited: Aug 21, 2014
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    A lot of posts lol this will take a few.

    @wat0114
    Back all week. Then I'll likely be gone for a while.

    @Rasheed187
    Not directed at me, but EMET is 100% open about how it works. It's heavily studied. The EMET team lets everyone know how it works.

    MBAE refuses to share even basic details about how their "anti exploit" software works because "intellectual property". That's nonsense, and I don't trust that.

    I know a fair bit about the type fo anti exploit software things like EMET deploy. I can see the caveats and I keep up on research on how bypasses work. I trust EMET because, at a significant level, I understand how it works.

    I can not trust the others because I can not waste time reversing their product just to decide if I should use it or not.

    My guess is that they aren't that great anyways. I have my own reasons for believing that and they aren't technical.

    @CoolWebSearch

    The broker is in charge. It says what can and can not happen.

    Imagine the browser has two components (there are more but thi sis just an explanation). The broker and the renderer (and there can be many renderers).

    The renderer has *no ability to do anything* to the file system (or the network I believe). It also does all of the complex work with web content.

    Whenever the renderer wants to do something it asks the broker first. The broker validates the request "is this thing legit? Or is it asking me to do something really weird?" and then carries it out on the renderer's behalf.

    That's about it. The renderer is not without any rights, and that's why kernel exploitation is possible.

    Well, Chrome is not infallable. There are two things to consider:

    1) As Gullible Jones mentioned, something like Java is not sandboxed by Chrome. It *is* set to click to play, but if a user clicks, a java exploit can launch unsandboxed.

    2) If a user downloads and runs a file, yeah, they'll get exploited. My suggestion is to run Sandboxie for files you download to tes tthem out before running them on your real system.
     
  23. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thanks for dropping in, Malwar, your security setup helps me out a lot, so basically I could use my windows 8.1 lua+uac+srp plus firewalll inbound/outbound control without installing anything else?

    You said that I would not use Sandboxie4 with Chrome because it could make Chrome's sandbox weaker-that's potential danger, indeed, but you know there are others who don't think like you do-what do you think about this?

    For some reason, I'm not techie like you and Hungry Man, and even to me it sounds that these 2 sandboxes would eventually go into collision course and lower down security and protection level of each/both sandboxes.

    But I have to ask if Google Chrome works on Windows 8.1.-I didn't use it, so I'm asking now, before I manage to install anything.
    The other choice I have is to have SBIE4, unsandboxed Chrome, AppGuard, NoVirusthanksexe radar pro plus windows 8.1 firewall inbound/outbound control like your own, hmmm, it's hard to say what to choose.
    I wonder if I can use all: SBIE4, unsandboxed Chrome, AppGuard, NoVirusthanksexe radar pro, Windows 8.1 firewall inbound/outbound control like your own, lua+uac (max)?

    It's good to know that I do not have to use any other kind of software firewall (Comodo, Private, Outpost, Jetico and etc.), and that WINDOWS 7/8/8.1 FIREWALLS, even without router firewall protection are more than secure enough to protect against internet threats (I mean on closed ports and all other firewall functions).
     
    Last edited: Aug 22, 2014
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I'm using same setup, except SUA and FW outbound. :thumb: Chrome is working great on Win 8.1. Just disable all privacy related settings and tighten other Content settings and you'll be OK :)
     
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Thanks for all of your explanations, if you can handle me, just a little bit more...

    I wanted to ask you what do you think about AppGuard and statement from Barb-C that it beat EMET when it comes to exploit protection, EMET protected against against 80% of all exploits (or malwares, someone should truly correct me), while AppGuard protected against 100% of all exploits (or malwares, like I said someone should correct me on this)?
    I mean if EMET is so good, than why AppGuard beat it, I also read that EMET runs on user-level, not on kernel-level:
    https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-79#post-2398037

    Why EMET does not run on kernel-level?

    And I will listen to your and Malwar's advices and use and run SBIE4 only for files I download to test them out before running them on my real system.

    My second question would be: is there any more secure replacement (sandboxed replacement, perhaps?) for java for Google Chrome/Mozilla Firefox/Internet Explorer, if Java is so unsecure?

    And third, the last, Malwar posted above that using Chrome with SBIE4 could make Chrome's sandbox weaker, well I do know what I'm going to write is just a matter of someone's opinion, not fact, but to me it seems logical that when you have 2 sandboxes, that they will collide together, it's like putting 2 antiviruses or 2 firewalls together at the same time on the same computer.
    It simply cannot be more secure, only less secure-what do you think, Hungry Man?

    I think, these are really all the questions I could think of so far, I don't think there will be some newer questions for some time, I just hope moderators will not close the thread.
     
    Last edited: Aug 22, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.