Sandboxie Technologies (SBIE Open source) (VERSION 5.33.6 ONLY!)

+1. thanks and congrats for your hard work, @DavidXanatos , and congrats to you too @diversenok .
now, i don't use sbie but i respect and support devs like yourself.

 

Hello, Bo.

I think you will agree when I say that the ordinary Sandboxie users (= most of us) finally have to rely on the knowledge and the work of the (few) experts for this software. So you are completely right when you say that it is a matter of trust.

Finally you can compare it with being the passenger of an airplane (or a ship or whatever): You have to rely on its quality and on the ability of its captain (and the whole team around him).

You took - to my mind - the most dangerous decision: You decided to stay the passenger of an old airplane that does not only have various security issues (see for example the above statements by David and diversenok) but that also does no longer have any captain at all (as Tzuk, Curt and Tom have quitted this job a long time ago)! One could say you use a ghost airplane.

The alternative are the two airplanes with a new captain (and constructor), namely David: He offers a refurbished version of the old one ("Sandboxie classic") and a newer, more advanced model ("Sandboxie plus"). Both models are permanently maintained and permanently operated by their captain/constructor. And in case that with these airplanes really occur some new security issues, the captain will be here to fix them.

So continuing to remain the passenger of the ghost airplane is to my mind definitely the worst choice regarding security.

The same from my side.

 

I'm 100% in the "David" camp it's not even close, all Sophos cared about were "browsers", and only for the popular ones. You talk about security and "holes", lets not forget here that the Sophos version didn't even work for a ton of stuff, basic stuff like installer (msi), my options for them would be to not use them (not an option), or to run it unsandboxed (nice HOLE there Curt!).

And as David has said about my issue, this would have happened and does happen with the Sophos version too, so you can't even use that as an argument. David keeps on top of things. Sophos, Curt, Tom (LOL), just bury their head in the sand.

 

Regardless of what you do, I am not changing the way I use my computer or Sandboxie 5.33.6.just because you are going to release what you call your exploits. But it ll be interesting to see what happens afterward. That makes it another reason for me to keep using 5.33.6.

Bo

 

Peter, you and I have gone thru this more than twice, enough is enough. I am not asking you or telling you (or to anyone else) what to use in your computer, I ask for same courtesy from you.

Bo

 

The burden of proof is on you. Words are cheap. I have seen no evidence whatsoever in the real world that SBIE 5.33.6 is as you say, an "evidently insecure peace of security software". Just because you say so, and there are POC's don't make it so. POC's that break SBIE in a lab test have been around forever. I been hearing same sad stories about Sandboxie since 2008, but none of this stories have ever turned into fact or real escapes or danger. Please, keep them to yourself unless you can bring proof of a real world escape.

Bo

 

I wonder how could this be measured objectively. Someone not biased please enlight me to understand this.

 

You are a hater, I ll ignore your post.

Bo

 

you can't. elam's just accusing @DavidXanatos of calling legacy sbie by its name, an abandonware while it really is what it is. but he doesn't hesitate for a sec to unjustly call @DavidXanatos an incompetent dev.

 

Well, I think it does not make much sense to discuss the matter with Bo any more. He obviously will not change his point of view (respectively his philosophy about Sandboxie) - and we (the "other side") will not change ours. Finally it is his computer and he may use it as he likes.

So (as Bo requested from me) perhaps it is really a matter of courtesy and tolerance to accept Bo's personal decision without further contradiction. But only as long as he does not "advertise" his preference. Because then definitely applies what David has written above:

In this case contradiction should always be legitimate and necessary.

 

Maintaining mutual fairness and not coming to the defense, or support of, anyone on this, but the PoC raises an interest for me in that it is still PoC. The question in my mind is how prevalent or what REALLY are the chances those PoC's that @diversenok shared with @DavidXanatos and is suggested will release shortly, that those exploits let's call them (or sandboxie jailbreaks for lack of a better analogy) would/could users commonly encounter today?

I used Sandboxie for what seems like ages from tzuk, and even still use/have those old versions on some 8.1 live production boxes that is never failed a single time. Also updated them with Sophos final this week.

Without sounding or seeming naïve, I have often got (and get) the same sort of suggesting disapproval because I chose to keep and depend upon Windows 8.1 and yet without any AV. Those boxes haven't been even hinted at having been penetrated. Once after installing QiHoo360 AV it was hit with what back then was the start of what we know now as ransomware, but third party apps (not the AV) intercepted and stopped it in time with minimal scrambled files. After that I swore off AV's for good. (Except now on the new Windows 10 box MD is ok)

When I mention on the fence as in a earlier reply, im not torn at all. I just am carefully observing the alternative Sandboxie's development along with issues or bugfixes then see how user's are fairing.

 

@EASTER. Regarding the POC's, remember Bromium? They created a thread here and killed Sandboxie a hundred times but that was not enough, so they killed it another hundred times, but in the end, nothing came out of it. Nothing. Every other POC that has been written about SBIE has the same end. I been a member here since 2010, specially during the first few years after 2010, there was always someone who predicted Sandboxie's demise, its coming, soon. But that announcement, never came thrue. The haters attacking SBIE, kept comng, the only thing that changed was the names of the attackers, but the end result is always the same. Nothing ever turned to reality.

Bo

 

I don't advertise my preference, I don't have to, you know why? Because I dont have an urge to do it, and that's because I am confident in my preference.

This whole back and forth started by a very simple post by EASTER written specifically for me. I answered and some of you guys didn't like it, if my reply don't fit in your perfect little world, I am sorry but there is nothing that I can do about it other than censor myself or lie, and that I won't do.

If someone comes here, ask something or say something, I am sorry if my answer don't fit what you want to read. Peter, you have no right conditioning what I can write and cant write. I always thought of you as a friend, still do, but you are wrong on this.

Bo

 

just do it: https://www.youtube.com/watch?v=D0GZ4Y9w6o0

 

One of the vulnerabilities @diversenok has discovered allow any program running inside the sandbox with minimal afford to spawn a process with system privileges outside the sandbox. That is as big a catastrophe as it can possible be.

Now if there is generic malware out there that would take the afford to implement this sandbox escape, or if they just don't care for the people using sandboxie, I don't know.
But I can assure you with utmost certainty that anyone running a targeted campaign against a person or institution that uses sandboxie will add this to their arsenal and try to exploit the fact that people using sandboxie will feal more secure running potentially dangerous software.

@diversenok tolled me that he will release one of his poc's shortly

 

I have already said on more than one occasion that this thread should be deleted or locked, but all I have gotten is the moderators deleting my posts after Bo's whining, so I won't waste any more time on this warning how stupid it is to keep talking about a completely broken and insecure program and of course I don't think there will ever be any other version of Sandboxie than yours.

 

Do it now, please.

 

I'm prob. even below an ordinary user, but didn't Sophos buy Invincea for other than Sandboxie specifically? Once the technology was absorbed, Sandboxie was left out for curbside pickup. Surely the decision to make it open source wasn't made in a day or a month or even a year. There was no more incentive or directive to develop it further, I think. But if "holes" were left in a software that people, even a few, were still using, then yes, even after the fact, it's worth learning about.

Please don't anyone take this as a "betrayal" or taking sides. No sides to take, imo. Someone came along and breathed new life into an empty shell. I admire that a lot.

 

with all due respect, @Monica2000 , "locked" maybe, but "deleted" no-no.

 

yep, that's right.

 

well said, plat. couldn't agree more.

 

Sophos didn`t give two hoots about Sbie, Ivincea [sold 2017] gave it a little bit of time and effort but Sophos bought Invicea for things other than Sbie, that was just a by-product of the purchase!
They are not a very good company, they promise this and that, but rarely deliver, having had the misfortune of dealing with them on technical issues this comes form personal experience. Try their AV, it is a slow, bug ridden cumbersome excuse for a security program
I personally would put David more akin to Ronan (Tzuk) in that he has a passion for the program and at least responds to problems. The amount of problems that were just ingnored in the Sbie forums when the "companies" controllled it was ridiculous.

We now have someone who is starting to get Sbie a decent following again, and I for one would like to thank David [and the github helpers] very much...Keep going, if someone has a preference for an older version, that`s up to them, people still use XP or windows 7, plus nowadays it`s not that easy to get malware if you use a bit of common sense, working browser expolits are worth a lot of money...

 

couldn't have put it any better, @Mattchu .
this is it. no more, no less.

 

Older versions of Sandboxie have an excellent overall architecture, but they have multiple vulnerabilities.

Here is a link to a pre-release of one of the exploits for version 5.33.6. It a combination of a sandbox escape with an escalation of privileges that escapes from a sandboxed non-admin to an unsandboxed SYSTEM. It is also DropAdminRights-compatible, so there are no ways to protect yourself from it except for updating. Does that sound severe enough?

Spoiler: Screenshot

https://user-images.githubusercontent.com/30962924/122394424-42476d80-cf76-11eb-846d-75307ee48181.png

If you don't believe what I say, just boot up a virtual machine and try it yourself. I will be releasing a few other exploits and blog posts describing the technical details behind them in the near future. Again, none of these problems apply to newer releases, thanks to @DavidXanatos.

In all fairness, even older Sandboxie is still significantly better than Avast/Comodo/360Security/Shade sandboxes. Nonetheless, it has severe vulnerabilities, just not as severe as other products. So, if you were waiting to update from 5.33.6, it's about time.

So, stop spreading misinformation that 5.33.6 is somehow better than newer versions. It is less secure and less compatible with 3-rd party software.

 

Exacly @diversenok and dont forget even VMware dont protect agains all virus you can see in changelogs - so also need take care on current version



So make sure you have all software security update fast as only possible for your secure.
You can find lates version Sandboxie here
https://github.com/sandboxie-plus/Sandboxie/releases