Why hasn't Mozilla developed a Chrome-like sandbox for Firefox?

Let's keep our fingers crossed...

That's the bitter truth...

 

I currently use a layered model that I'm very satisfied with. It's probably totally redundant and overkill, but eh. I need something to do when I'm bored, and that something is tinker with security.

COMODO Dragon (based on Chrome) + ScriptNo + Sandboxie.

I'm pretty sure that nothing is going to find their way out of that security sandwich.

In many ways, I prefer Firefox. But browser sandboxing seems like such a necessity to me that I can't do without it. NoScript is fantastic, but if a whitelisted site is compromised, then you're dead in the water.

 

Speaking of Comodo Dragon browser, how often is is updated? Is it kept up to the pace of Google's Chrome browser? Never tried it before but I am curious.

Thanks.

 

Dragon is kept up to date with Chrome. Comodo puts a lot of work into the browser. It's basically Chrome, but with the tracking stripped out; there are also some security improvements. All Chrome extensions and themes work with Dragon.

 

Why is that?

 

If a site is on NoScript's whitelist, and that site becomes compromised, a compromised script would run in your browser and potentially gain access to the data in other tabs. So for example, if I had my bank's website open in one tab, and a formerly safe site in the other, my bank data could potentially be vulnerable in Firefox.

On the other hand, in Chrome, each tab is sequestered so that even if a formerly trusted site runs a malicious script, it could not access the bank data in the other tab.

 

cause you get a drive by

 

Is the script itself of concern or what happens after the script runs?

Since driveby downloads was mentioned, doesn't the script typically attempt to download and install malware? This being the case, a user running as a limited user with anti-executable provisions in place should be able to easily avoid the harmful intent of the payload. Why wouldn't removing execute rights on the browser's downloads directory prevent the payload from launching? It's probably best to stop the script first, but if it's not there're other lines of defence available to easily prevent the infection.

The accessing bank data example is interesting, because I'm not really sure what to say about that one, except that if one accesses their bank's website directly only, and from home, and it's a secured http site (as any reputable bank should be), then I don't see the danger here. There's an encrypted handshake between the bank's server and user, bank's certificates are validated by the user's browser, then the encrypted session is invoked and maintained only between the bank's server and the logged in user.

 

Well, for one thing, malware doesn't get launched from your downloads folder. Most of the time it gets launched from /appdata/. Removing execution from your /appdata/local/ folder is generally enough to stop 95% of the malware out there (based on a mcafee whitepaper).

This is one of my favorite papers: https://www.cr0.org/paper/to-jt-party-at-ring0.pdf

People forget that antiexecutables don't actually stop execution. Browser exploits are execution. Secondary payloads can be stopped with AE, that's all.

As they suggest in the paper, at this point you want a sandbox.

NoScript with whitelisting still provides some security, but if you hit a page directly that's infected you may be in trouble. NoScript is better for keeping a specific webpage secure - you can remove XSS, CSRF, and Clickjacking. Chrome is better at keeping your system secure.

 

I'd forgotten about that directory. That does make sense. As for the article, it looks like a lot of highly technical, point form information. It may be informative, but I find it difficult to understand.

 

Most of the article is about exploiting the kernel, and isn't relevant. It's just a really great piece of research, it's up there with smashing the stack for fun and profit.

But it does touch on antiexecutables only in that brief section.

 

Isn't stopping the secondary payload all that really counts in the end? I believe in one exploit of IE 7 some years ago, it was the browser's legitimate urlmon.dll that was exploited to download and execute the malicious payload (a trojan) in the IE temp folder. At least it worked something along those lines, I can't remember exactly how. It was a thread I stumbled across where Rmus illustrated the steps of the exploit.

The bottom line is it was not the exploit of the dll in IE 7 that caused the damage, rather it was the malicious trojan that was executed by it in the temp folder. Rmus posted a screenshot that shows his AE software stopping the trojan from being executed by IE.

 

Not really. If your goal is to prevent code execution an AE starts way too late in the game.

Think about why that payload in the Rmus illustration is an issue. Because it's running dangerous commands. If an attacker can run those commands before your AE ever comes into play, what security does it provide? You've got your code execution way before the security begins.

In terms of an attack you want to break it as early as possible, because as the attack continues through its stages they only gain more and more control over the system.

Like I've said before, malware is dropped through secondary payloads for managerial reasons. It makes exploit kits more profitable because they can pair one exploit kit to very easy to create payloads, this makes it much easier for specialized tasks.

 

I agree it's best to stop the beginning of the attack, but I think in this case and likely so many others, those dangerous commands you mention aren't doing anything more than paving the way for the real danger - that being the trojan payload. That's not to say something more menacing might unfold even without a payload being downloaded/executed. It's just that based on what I've seen in examples given, this latter attack approach, or similar, seems to be the norm.

I found the link: https://www.wilderssecurity.com/showthread.php?t=263323

Again, I agree it's best to stop the exploit from triggering in the first place, but I see AE (anti executable) as an excellent layer in the defence against these and similar exploits if they do trigger.

 

It's not a selling point at all.
Only geeks care about it and know about it.
For normal people, it's irrelevant.

Not all features in the browsers are about security.
There are other things, like speed, compatibility, stability, etc.
All far far more important that some nebulous security thingie.

Mrk

 

I know a lot of regular people who have gotten infected and they've chosen chrome for that reason. They don't know what a sandbox is, why it works, how it works, etc. They just hear Chrome is more secure, so they use it.

Lots of people have gotten viruses, they don't want to again. I'm talking about 50-60 year olds here too.

Most people don't know the details of performance or anything else either. They just know what they hear. So when the geeks start saying "This browser sucks, this browser is great" that's what they hear. You can see it with IE, which still has a terrible reputation because for years 'the geeks' were saying that it sucks, and the non-geeks didn't understand the reasons, so they just went with it.

 

You are right, at least when it concerns those who don't know or care about the security aspect of the browser. However, I think if they placed as much importance in browser security as they do in browser functionality and performance, they might chose more carefully and differently. Just sayin'

Makes sense. The only question I'd have is "why did they get infected?" Was it the fault of the browser they were using or something else?

 

Regular people don't hear "Oh, this browser is fast/stable/secure" they just hear "this browser is good" and they hear that from geeks. It's always been that way.

Varies on a situation by situation basis. Lots of people got infected through Flash/PDF though.

 

That's interesting and perhaps not too surprising either. I figured Java might be a reason too, but I guess there are far more sites with Flash content than with Java. Is it mainly because of outdated Flash players and PDF readers that they get infected?

 

Flash 0days used to be a lot more common. Reader exploits too. Now it's mostly outdated versions that get attacked, but just a little while ago there was a 0day reader exploit that didn't require Javascript and bypassed the sandbox.

Java exploits have continued to rise as other programs picked up the pace in their security.

I've fixed a lot of computers infected in lots of ways. For a long time Flash exploits were the number one vector.

 

Okay thanks. Microsoft in their Security Intelligence Reports have even indicated its mainly 3rd party software such as Adobe that is exploited more so than their own MS products.

 

Maybe they figure that most users use Noscript and that's good enough.

 

No, most users don't use that. 2,193,656 users according to its page on https://addons.mozilla.org/en-US/firefox/addon/noscript/ while only on CNET download.com it says "Total downloads: 38,126,979" for Firefox.

 

I don't hold it against Firefox, if user's fail to utilize the add-ins and security/privacy settings available. Doing it for them only exacerbates the issue of user illiteracy. It's like having hot mittens in your kitchen. If you burn yourself because you don't use them ... do you blame the company for not forcing you to wear them? People need to burn themselves a couple times to motivate their interest in learning how not to get burned.

 

I disagree 100% with the opinion. I do respect your opinion, though.

Otherwise, we'd have to say the exact same thing about everything else, starting by the operating system itself. Not to mention, Internet Explorer 6 would still be considered a pretty darn safe web browser to use.

An operating system is not meant as a security measure/application, but as a platform for other applications and hardware interaction with the user. Nothing more. But, we do want operating systems to be more secure every time a new version comes out and new threats appear, don't we? So, why wouldn't we want that with our browsers?

No one's talking about reinventing the wheel, rather to make good use of it. Google made good use of it.

Also, the reality is that we don't have to know about everything in life. There's a lot I don't know about, and I damn hope others are doing what they can to assist me, in a direct/indirect way.