Sandboxie safe to run Active X control?

Some websites I visit, give me a pop up window asking to install "Run Active X Control".

If I am uncertain about such a website, can I run that website through Sandboxie, and then when I close Sandboxie, that Active X or whatever it was that IE installed, will be deleted and totally removed?

 

It should be, yes.

 

It should be? You don't sound very sure.

Anyone else know for sure?

 

I'm very sure that the chances of that active x control trying any funny business outside of the sandbox are extremely low. Does that sound better to you? You don't get guarantees out of me when it comes to security and threats, everything is fallible. Sandboxie has been penetrated before, just like a few other highly popular apps. It happens, it'll happen again, but it will get fixed. Don't rely on just Sandboxie, and you'll be alright no matter what tries to hit you.

 

Good question.
I would trust the responses given at the SandboxIE forum.
http://sandboxie.com/phpbb/viewtopic.php?t=5083&highlight=active
(I assume you are the thread starter)

 

From what I understand, it cannot escape the sandbox. And then by deleting the sandbox in Sandboxie Control, it disappears as if it never existed.

 

it is safe , i got one site which install active x , and when i empty container and reload site , it want to install this active x again , so it is safe!

 

I assure you it is not safe.

 

Really? Is it never safe? Or only sometimes unsafe?

 

Active X allows objects and foreign code to run on your system. Foreign code, which can be malevolent, can break out of memory/sandboxes, run 3rd party applications outside of the sandbox, install rootkits that bypass or live outside the sandbox by hooking into files and applications. Sandboxie is NOT a suitable replacement for a virtual machine, and does not make unsafe applications or activities safe.

 

Yeah, thanks Steve for the reminder. I actually went through this about a month ago with some other people.

I will avoid allowing any ActiveX to be run on Vista. Even when IE is running in Sandboxie.

 

Steve, I actually get what you're saying, however, if we're talking about malware that can break out of a virtual environment, there are some that can break out of a virtual machine too. In fact more and more malware are becoming aware of "virtual solutions". Now I'll grant you I'm not even close to being an expert on this stuff, but my thought is, if you get a piece of malware like this, it's not going to matter what kind of virtual environment you run. But for any other case, Sandboxie has a proven record of being able to stop bad things from happening, including active x.

 

I was also going to point out that some malware can break out of a virtual machine too . However, a virtual machine is a safer solution than a sandbox simply because it emulates a computer rather than hook the kernel to monitor all changes to a system.

 

@SteveTX: I am no expert either but that may be >a bit< OTT ??

Not meant to be replacement for VM imo.

This is a fairly provocative comment and clearly implies that Sandboxie has some dramatic flaws that have not been tested or addressed.
If that is the case, that would be very important to know.

Beyond what we know about sandboxie and capabilities ,can you provide some specific examples please: if there are; <cough> ....really are ...<cough> such gaping holes in Sandboxie; then we have all been hoodwinked.

EDIT: @tonyseeking:

this thread?: https://www.wilderssecurity.com/showthread.php?t=232214
SO why are you still asking about sandboxie if you think it is so flawed ??
Did you not learn anything from that thread?
Sandboxie Forum thread re tonyseeking's issue at that time: http://www.sandboxie.com/phpbb/viewtopic.php?t=4911

Sandboxie forum thread referencing tonyseeking's current problem : http://sandboxie.com/phpbb/viewtopic.php?t=5083&highlight=active

Looking forward to seeing flaws in Sandboxie laid bare.

EDIT:
From Blue:

The frenzy is upon us.

 

It a Amazing how statements are made and No facts are presented.The fact many have tested time and time again and sandboxie holds its own against most malware and has yet let anything escape if used properly. The fact of the matter is anything can be broken, So unless there is a active x or some evil variant specificaly targeted to escape sandboxie well then.Beside how often does this happen in the first place and when it does its addressed rather quickly.

 

I don't mean for it to sound like a wolf cry. We focus our bugfinding eyes on anonymity and privacy for the most part, and we look at what is considered the most advanced open-source projects with hundreds of contributors, and we still find severe vulnerabilities and compromises of all types, many times per year. Sandboxie has significantly less resources for development, is closed-source (security through obscurity), less code maturity, significantly fewer eyes on it's codebase, and has significantly more risk in it's attack vectors.

While this is not an apple to apple comparison, it isn't over the top to say you have dangerous things going on that will have a relatively predictable outcome: Sandboxie allows and encourages unknown and unsafe code to run, and it is therefore capable of running right over sandboxie. That will be an inherent flaw, much like Tor's flaw is that it allows participants to manipulate traffic. Nothing can be done to mitigate it, it is just an effect of the design. The reason it falsely seems safe is because it just isn't a high value target. In the 1990s Mac users used to tout how Mac's were virus proof, that is until virus writers started designing viruses for mac. Sandboxie says it themselves: "Trust no program." Just because nobody is trying to fill up your bucket doesn't mean your bucket holds water.

I think a good person to ask, if you were looking for a bugfinder, would be a guy who pioneered sandbox/virtualization breakout attacks, like Tim Shelton, aka "RedSand".

 

I haven't got my new system set up like this yet, but you can do like I was doing on my old system: open up Sandboxie, the inside of Sandboxie open up a VirtualMachine, then inside of the VM open up Linux and surf using Firefox. For a baddie to get me it would somehow have to get thru Firefox with NoScript, then somehow survive on Linux, then survive the desolving of my VM, then Sandboxie.

Acadia

 

An ActiveX component is just some bits of code (technically, a DLL) that are downloaded from the Web and executed within the Internet Explorer process.

Sandboxie completely envelops the process/program it supervises, and pretty much guarantees that the program cannot write anything outside the sandbox. When the program we're talking about is Internet Explorer, this applies to everything Internet Explorer does, including the ActiveX code that runs within IE.

SteveTX, you obviously have no idea about Sandboxie, or how it works, yet you repeatedly make bold claims about it, with the air of someone who knows what they're talking about.

May I kindly ask that in the future you refrain from making your baseless, inflammatory comments about Sandboxie? Thanks.

 

When security expert Steve Gibson uses Sandboxie himself and recommends it over all other sandboxing apps, well, that says it all for me!

Acadia

 

Hmm, this could turn into a really technical and great discussion, or it could suffer "Wilder's Syndrome" and get shut down. Here's to hoping we get to see some good stuff (if any tests are actually performed that is. Me, I'm comfortable with the safety of Sandboxie, but others may want to run it through the gauntlet).

 

http://www.grc.com/sn/sn-172.htm
http://www.grc.com/sn/sn-173.htm
http://www.grc.com/sn/sn-174.htm

Acadia

 

Even tho programs cannot write to the Disk outside of the sandbox, it has been proven that programs running inside sandboxie can "Communicate" outside of the sandbox. Like the Reg test etc.
http://sandboxie.com/phpbb/viewtopic.php?t=4665&sid=86ba78cde4fcc16e1f7250f9012ecc96

Even tho people say that this is not an issue Fact remains that Programs can still "Communicate" by code injection outside of the Sandbox.

In sandboxie restrictions we have stuff like Run and internet access.
It would be good if at some stage we can have another feature added to the restrictions like "Block Running programs from communicating outside of sandbox etc"

 

You're right, I haven't really studied the design schematic of Sandboxie, Ronen. Would you be so kind to send me a registered version and source code so I can take a look at the full functionality of your program? I would be happy to sign a non-disclosure agreement.

 

I'm not one of the more knowledgable users of Sandboxie. So, perhaps you can expand on what you said for me.

For instance, if I run an application in my sandbox.. Let's say Firefox.. And if I configure Firefox to be the only application running in that box and disallow any internet access... how will that sandboxed Firefox "communicate", and with what?

Give me an example of what you mean so I can test it. You pick the program and I'll see if I can configure it so it doesn't "communicate" or allow anything else to run.