Is Google Chrome truly that vulnerable?

OK, thanks for the info, but what do you mean by "SUA"? You mean LUA=Limited User Account, right?
It's good to know that I do not have to use any other kind of software firewall (Comodo, Private, Outpost, Jetico and etc.), and that WINDOWS 7/8/8.1 FIREWALLS, even without router firewall protection are more than secure enough to protect against internet threats (I mean on closed ports and all other firewall functions).

 

In Windows 8 Standard User Account is the same as LUA. I use Administrator account with UAC on max, which is similar to SUA.

 

OK, understood, I'll try to find on the net how to tweak SUA+UAC+SRP on maximum security/protection level.

 

Hi CWS, I give you a good solution. Don't install Java. And if you ever require to use Java, install it temporarily in a sandbox, after install, run your browser or program that requires it in the sandbox where you installed Java, when you are done, delete the sandbox.

Bo

 

Yes, indeed, why I haven't figure it this earlier, could I simply use my SBIE4 for sandboxing Java right?
This is an excellent solution, thank you very, very much, Bo!!!
Too bad I'm not that creative and inovative like you are-it's always good to have you here on message boards.

 

CWS, before installing Java sandboxed make sure to set the sandbox not to delete on closing, otherwise, the sandbox will delete as soon as the installation is over. After you finish using Java, change the Delete setting to allow deleting the sandbox.

Bo

 

AppGuard vs. EMET: marketing hype. Windows cannot be made invulnerable. (For starters, the kernel implicitly trusts the hardware, and the hardware is known to be untrustworthy.) EMET is specific to attacks on program memory, but very good at it.

From what I'm reading on the AppGuard website, it sounds like they've now developed something like seccomp for Windows, only they say it can be applied to anything and everything automatically? But they're not giving any details at all, so see again "total black box" and "too good to be true."

As for EMET itself: the kernel components are built into the core of the Windows kernel, it just has to tell them what to do. Also I believe it has a userspace component, consisting of DLLs that monitor programs for certain types of attacks (e.g. heap spray).

SBIE currently uses Windows integrity levels so I don't think it would interfere. The only way would be if the broker required medium integrity to spawn a lower integrity process, and I don't think that's the case.

Running two firewall/HIPS/AV/etc. programs will cause trouble for different reasons - they're trying to hook the same functions and will interfere with each other.

 

I don't know the details of AppGuard. It may be better or they may be full of it. My guess is they have some sort of antiexecutable type restriction so of course they block 100%, but it's not robust.

There is no replacement for Java. I personally don't run Java, I don't need or use it.

It depends. In this case the sandboxes do the same thing, so they really have no benefits by being combined. If Sandboxie did something that Chrome's sandbox didn't, I'd say combine them, but it doesn't.

@Gullible Jones

EMET uses security techniques like ASLR, SEHOP, DEP, etc. It also has its own techniques, which fall under a subset of security mitigation techniques referred to as "Control Flow Integrity". Things like "Don't allow calling into the middle of a function" and things like that.

The flaw here is that CFI can have very significant performance hits. So, to get aroudn this, 'coarse grained' CFI is implemented, as the ruels are fast to validate. This is not very restictive, unfortunately, and in my opinion the anti-ROP techniques in EMET are not as significant as something like full ASLR.

 

But what do you mean by AppGuard is not robust in what way exactly...

And do Chrome and SBiE4 do their all of their jobs equally good and there are equal benefits and that's why it's useless to combine them, right?

And what do you mean by CFI and SEHOP?
I do know that DEP stands for Data Execution Prevention.

If you want to know about AppGuard read this:
http://ww1.prweb.com/prfiles/2010/05/11/1052624/AppGuardTechWhitePaper.pdf

https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-84#post-2401411

Read Pegr's posts:
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-84#post-2401168
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/#post-2298875

 

I see what you mean by AppGuard and their goals and "too good to be true" marketing, but I simply like AppGuard and NoVirusThanks exe radar pro the way it protects my computer, so I will still use it.

Regarding SBIE4 and Chrome running under SBIE4's supervision, HM is right: "In this case the sandboxes do the same thing, so they really have no benefits by being combined. If Sandboxie did something that Chrome's sandbox didn't, I'd say combine them, but it doesn't."

 

They mention a "memory shield" or somesuch. It's possible they have their own ASLR driver (or runtime patch, or something); that's not unknown - Wehntrust did that for Win2k/XP/2003 a while back. They could also implement their own version of the CFI/anti-ROP stuff you mention.

 

Actually, Windows_Security mentioned that AppGuard is like ASLR/DEP/LUA/UAC on steroids!

 

If they have their own ASLR mechanism it probably breaks ASLR, that's my experience with those things.

ASLR already exists. So what could they add to it? I know Sophos had soem NOP slide thing they used to try to force ASLR on XP but it ended up disabling it on every other OS.

I don't know what they do. Could be amazing.

 

AppGuard MemoryGuard just prevents guarded apps from reading or altering other apps' memory.

 

Did you guys try the latest HMPA v3? It explains exactly what they protect against, and how they do it. The makers of MBAE do indeed refuse to give this info but I expect they do the same as EMET, does it even matter that they won´t give full details?

If you read this stuff, then surely you must have an idea, how anti-exploit tools are trying to do their job:

http://blog.trailofbits.com/2012/10/29/ending-the-love-affair-with-exploitshield/
https://news.saferbytes.it/approfon...ctive-approaches-to-mitigate-exploit-attacks/

 

You´re guess is right. The question is if anti-exe is good enough against more advanced exploit/payloads. Another question: do exploit-kits already offer "advanced exploits" at the moment? With advanced I mean payloads who operate from memory without having to write to disk, or even start up a new malicious process.

 

No, it´s a simple anti-code injection (+ prevention against memory reading) feature. It doesn´t offer any exploit mitigations features like EMET. Trust me, I had a whole discussion about this in the AppGuard threat. And for some reason even their "chief software developer" didn´t seem to understand how anti-ROP/memory overflow is different from protection against code-injection.

 

I wouldn't consider AG to be an anti-exe personally. Policy restriction that is.

@CoolWebSearch
I understand that you want to get information and all, but IMO you're worrying too much. We can do many things to secure our system up until a certain level, but when we're talking about direct kernel exploits nothing can really protect us. Since our goal is to gain as much security until that limit, anything can be used. It's only a matter of personal preferences really. I don't like Sandboxie, so I don't use it. I like GesWall, so I would love to use it (GesWall is dead BTW, don't consider it as a recommendation). X setup can be as secure as Y setup, you don't have to use XY setup just to make sure it's impenetrable, there's no such thing as a flawless fortress.

 

You don´t get it, when I say "anti-exe", I mean the method that is used to stop exploits/payloads. For example, EMET uses "exploit mitigations" to stop exploits. And tools like MBAE and HMPA use both.

 

It just makes since that sandboxie could weaken chromes sandbox but I agree with HungryMan it depends if sandboxie added something to chrome then go for it but it does not. If I were you I would just use windows 8 like you said you were going to do and just use a lua+uac(max)+windows 8 firewall and block inbound and only allow what you need outbound and use windows 8 smartscreen filter.

 

Thats what I told our friend CWS but unfortunately he is listening to people in PM that tells him things that all it does is scare that hell out of him. Not pleasant. Somewhere earlier in this thread he mentions the word Torture. No one that know a little security should feel that way. No matter what.

Bo

 

And AG does more than just blocking executables, you only mentioned 1/4 of its full power. Good gawd anti-exploit software are really overrated these days. =V

I myself had been on that point some time ago. I heard so many frightening news about cyber-security and cyber-privacy which made me piled up security and privacy tools, thinking that it would ensure my safety. But in the end I got tired out of it and I actually just increased my attack surface significantly. These days I don't give a damn about trying to "perfecting" my setup anymore and prefer to go with the idea of minimalism instead, only using tools I see as giving considerable advantages and avoiding overlaps as much as possible. I might be an ignorant but I have a peace of mind.

 

The questions from CWS I think are good. There're too many uncertainties or lack of detail floating about in these and other forums regarding how some of these exploits truly work and how they could be mitigated.

BTW, I really like Malwar's security setup listed in the signature. Harden the browser and Utilize as much as is available in the OS is the way to do things, imho

 

The questions are good, but it's also a never-ending concern. Exploit writers might find new ways which will render today's mitigations to be completely useless. Plus, any software can be exploited, even security software. Piling them up don't make you to be more secure, but instead increasing attack surface. Just use one or two security tools you're comfortable with and be happy with it.

Some things can't be done by built-in configurations though. While on the other hand third-party tools can offer better protection than what's already built-in.

 

GZ, If spending time learning security doesn't help to enjoy using computers and the internet, then why learn? mights well stay dumb. I tell friends in real life that if they don't want to be infected again all they have to do is read security for three hours a day for thirty days and they ll never get infected again. I believe that. When they ask me about what to read. I tell them, it doesn't matter.

Reading security to make you afraid doesn't make sense. Last time I felt paranoid or scare about something related to computers was before I started reading and learning about this things. And GZ, I don't spend a lot of time reading this kind of stuff. I still do all the things that I used to do before I ever heard of Sandboxie or knew what a forum was. Now, I even have more time for doing the things that I enjoy while using a computer since I spend 0 time doing scans or upgrading or changing security programs.

Bo