sick of all updates

Those two kernel vulnerabilities is actually what Sandboxie developer feared the most. If a staged two separate exploits were to be used, it can be easily mitigated by any security protection just like Sandboxie. Malicious dll coming from the latter attack carrying shellcode that do lowlevel actions to subvert the kernel or like modifying the MBR, Sandboxie can stop it as well as classical HIPS.

Franklin and Buster of BSA have throwed a Gig of malwares into Sandboxie. I am quite sure a few would carry local kernel exploits(being so common, right?) but Sandboxie prevailed.

 

How is that any different from shellcode embedded in EOT/WMF?
Let's see, on the one hand we have a malicious font/image that get's loaded into sandboxie, a browser or image viewer processes the file. It calls the kernel to render it. The kernel loads the relevant code into its own memory space and starts processing it, at some point the exploit kicks in and the kernel starts doing something else (like the stuff you posted).
The other example is our malicious pdf file that get's opened by Adobe Reader inside Sandboxie. Reader starts loading the file but also at some point it executes attacker controlled (shell) code. Now Reader is loading a dll on behalf of the attacker and starts executing that in its own memory space. The dll contains a local kernel exploit. So the dll through the Reader exe calls the kernel, the kernel processes the call and at some point a buffer overflow or whatever (e.g. the latest one http://secunia.com/advisories/42356/ -still unpatched) kicks in and the kernel is running attack controlled code in its memory space. The code itself does the mentioned nasty stuff from above.

Please bear with me, there surely are some mistakes in the terminology or worse. But I hope the high level idea makes sense.

Can you post a source where the sandboxie devs say they can protect against a, no we need "any", staged kernel 0day?

Like HIPS they can monitor and block some known risky calls, but it's impossible to always detect in advance if a call is innocent or trying to exploit the kernel. Maybe these two kernel exploits are scary because the kernel call is entirely expected and looks benign and their fear had nothing to do with remote, staged or whatever, but that property certainly isn't exclusive to these two.
Or it's just about the dll loading thing, I'm sure back then when they made that statement they didn't know of the loading dll from memory attack (which as you remember is explicitly designed to bypass HIPS among others, I doubt Sanboxie would fare any better, how should it?)

Finally we mustn't forget, we aren't talking about the POCs against those kernel exploits and others. They are all mitigated by sandboxie as the kernel level shellcode only executes an ordinary .exe insides of sandboxie instead of a lowlevel payload (although at this point breaking out of sandboxie and executing the dropped file in the real system should be trivial. Attackers just don't know any better, sanboxie isn't that widespread).

I found this thread:
http://www.sandboxie.com/phpbb/view...&start=0&sid=8350a615bac9b4eda0a1591073fdaec4
a few quotes
"...it does not involve a driver -- otherwise it would not be an exploit. So Sandboxie blocking drivers is probably not any countermeasure against this exploit." - tzuk
"Addressing this vulnerability sets a slippery slope precedent. I agree with you and expect Sandboxie to guard generic OS avenues that can be exploited, but how much effort should tzuk put into adjusting Sandboxie to compensate for unpatched operating systems?" - nick
"Suppose a zero-day kernel mode elevation exploit is discovered in your favorite anti-virus software. Would you hold me responsible to patch that too, until the AV vendor gets around to it? I think that's what nick s means when he says slippery slope, and I agree." - tzuk

The only thing I conclude from this is that it confirms my initial comment on how important it is to keep your OS/kernel up to date. We've come a full circle...

As long as malware isn't targeting sandboxie, there isn't much to expect from throwing at it random malware (i.e. same old drop, execute; really big surprise there).
And as posted above they aren't that common (17% according to those stats). When I said "not rare" I meant that most privilege escalations allow arbitrary code execution (by definition there are no DOS only privilege escalations, so what's left? "non-arbitrary" code execution, ret2libc comes to my mind again). I didn't know you were only talking about the _remote_ privilege escalations. My second comment was it stands to reason that if most XP exploits were "from remote" probably the majority of all arbitrary code execution privilege escalation exploits is vulnerable "from remote" as well.

 

HD Moore labeled that type of vulnerability as critical. To quote: since the EOT file is rendered at the kernel level, not by Internet Explorer (IE) itself, browser-based defenses won't help. "There's no JavaScript required for an exploit," Moore said, talking about the scripting language that's a popular tool for hackers who target browsers. Those kinds of attacks can be deflected by restricting JavaScript, or disabling it entirely. On Vista PCs, IE7's and IE8's "sandbox," which is designed to prevent attack code from escaping the browser and worming its way into, say, the operating system, also will be useless, Moore said. end of quote.

Others staged exploits are easily to mitigate, don't click and you'll not get infected. Layered defence is enough barring the theoreticall loading of dll from memory which I haven't heard in the wild even in targetted attacks. I think it will be hard to penetrate a system with layered defences.

I agree kernel vulnerabilities must be patched immediately if possible.

 

I really hate to resurrect such an old topic but:

1.) I reloaded XP Home on an old laptop with only 256 mb of ram and 2.2 Ghz. Celeron CPU.

2.) Loaded some necessary updates for playing DVD's and audio files.

3.) It will never be on the INTERNET.

There is no antivirus, antispyware or antimalware programs on it at all...

Boots in 35 seconds...Shuts down in 12 seconds plays DVD's with on-board video seems as fast as the much newer dual core desktop with 2 Gb. ram.

Now:

Since Monday Feb. 14, 2011 I have transfered nearly 1.2 Gb. for updates for all of the software on a desktop computer I have and only ~400Mb. for watching a some TV on hulu and other INTERNET browsing.

The joy IS Gone !!

I am thinking about using something like Webconverger from a CD on an older desktop for my Internet surfing.

I want off of this update merry-go-round !!

Updates...I can now understand why most computers are so out of date...

Rant mode off !!

Have a good day !!

rrrh1 (arch1)

 

still working for me my old laptop flies

 

My old Dell has a 2.4GHZ P4 and 1GB RAM. It boots in about 20 seconds, shuts down in 7.
It has no AV, AS or AM software, never has. It does have a firewall and HIPS.
It's running and connected to the internet 24/7. It serves as a Tor node/relay, virtual system host, test bed, and general purpose unit.
It's dual boot, but its other OS (XP-Pro) is almost never used.
It gets the occasional unofficial upgrade or enhancement and some new apps for testing them, but not much else.
It's stripped of all unnecessary components, including Internet Explorer. The entire OS and installed apps take up 1.05GB, with data and guest OS's on separate partitions.
It's fast. It does all I need. It's nearly bulletproof. It's rock stable. It's completely unsupported and "obsolete". Getting off of the merry go round and relying on default-deny to protect it has made it fun again.

Did I mention, it's Win 98SE, improved with KEX, RP9, and other unofficial upgrades.