Hello. As you might already know, Chrome runs its own sandbox. However, under chrome://flags/ you can enable AppContainer support. If you don't know what AppContainer is, then the simple explanation is it that it's a type of sandbox included with Windows 8 or later Windows operating systems. Now the question is: Is Chrome with AppContainer enabled more or less secure than Chrome running side by side with MBAE? From my understanding Chrome already has most of the MBAE stuff implemented by default, so doesn't that mean that AppContainer should be the superior choice? I'm currently using Sandboxie, but since MBAE/AppContainer is less likely to break the browser completely it's a better choice for non-tech people like my parents but feel free comparing it with Sandboxie too if you want.
Let me present you with another alternativ. Antiransomware and EMET. Information about Antiransomware : https://www.wilderssecurity.com/threads/interesting-antiransomware-freeware.391031/ . Facts about EMET still being good protection even for W10 : http://www.ghacks.net/2016/11/24/microsoft-windows-10-emet-unnecessary/. There you will have some good install and forget protection. But you will still need a good backup solution to cover up if malware occurs, that is the best and simplest solution for "non techies". There exists some really simple and reliable solutions out there.
I've enabled AppContainer and Chrome is protected by HitanPro.Alert and all works great. Your mileage may differ.
Tools like HMPA and MBAE are designed to protect the browser, even if the browser's own sandbox is breached. Same goes for SBIE, with the difference that SBIE is focused on containing malware instead of blocking it. So I would never rely only on a browser's sandbox, no matter how secure it is.
I use HenryPP's chromium, it is compiled with CFG, so on Windows 10 you have extra exploit protection. First I have AppContainer enabled with about flags to run renderer processes in a AppContainer sandbox making Chrome's internal sandbox stronger and harder to escape. Second I have UAC set to block elevation of unsigned programs, so the broker process running medium level integrity rights effectively runs in limited user sandbox Third I use a little free program called MemProtect to enable Windows internal protected processes. I allow executables in Chromium folder to call and access memory of executables located in the Chromium folder only. So this is the third container around Chromium. Fourth I add a "Deny Execute/Traverse Folder" ACL to my download folder and Chrome's Appdata (user data) folders. When you apply that you will get some errors because Chrome apparently has set some ACL limitations on some files and folders itself. Because I use windows mechanisms only, there are is no code added (HPMA/MBAE/EMET) nor the security model is changed (SBIE), so I think Chrome is kept on its strongest.
LOL, you seem to be fascinated by your Windows tweaking. But this is an old discussion. In general, hackers write exploits that are specifically designed to bypass browser sandboxes, they are not trying to bypass third party security tools that are running on top. So that's why the possible weakening of Chrome's (or other browser) sandbox is hardly relevant, unless you are targeted by some elite hacker.
1. Number one design principle of IT: be humble, (re)use what is already available. 2. How many exploits have been found in the wild bypassing AppContainer sandbox? 3. Old discussion not to be repeated, thank you
Are these browser sandbox exploits currently being successfully utilized? As far as I'm aware, it's the browser plugins such as Adobe or Java that are typically targeted and not the sandbox, but I could be completely wrong. These days I'm becoming increasingly bored with these security topics because nothing ever happens in my neck of the woods, so I'm losing track of the latest and greatest exploit trends
That's not the point, I even said in another thread that it's becoming very hard for exploit-writers to successfully exploit systems because of browser sandboxes and ad-blockers. But that doesn't take away the fact that running security tools designed to protect the browser, is still a good idea, in case a browser's sandbox does get breached. https://threatpost.com/two-new-edge-exploits-integrated-into-sundown-exploit-kit/122974/
And BTW, when you think about it, people who are worrying about MBAE (or other tool) weakening the Chrome sandbox, are actually the true paranoid ones. Because those people assume they will be targeted by elite hackers, that will write specific exploits that will only work when Chrome and MBAE (or other tool) are combined.
Important to note is that these were discovered vulnerabilities that were rapidly patched by Microsoft when they were disclosed. To date, there has not been a successful in-the-wild exploit against Edge: https://mspoweruser.com/security-company-eset-says-edge-browser-has-no-exploits-in-the-wild/ . That said, the Threatpost article had an interesting comment about the absolute need to insure the first thing required when acquiring an off the self PC is to run Win Updates.
Some news at least for me about AppContainer + Chrome, directly answered to me by Alex Ionescu: https://github.com/processhacker2/processhacker/issues/183#issuecomment-338291120
Untrusted = low box token Appcontainer = low-box token modified based on "capabilities" set by the developer of the Metro App.
