Reported Sandboxie breach

There's been a report of a SBIE breach by a well-regarded poster in that forum. Apparently tzuk has confirmed it.

I did a cursory review of the FAQ's in this (Wilders) forum to find out if it's acceptable to post a link to that thread since, within that thread, are additional links to the malware. I couldn't find a definite answer, but may have overlooked it. I'm posting the link below and will trust a mod to remove it if inappropriate.

http://sandboxie.com/phpbb/viewtopic.php?t=6123

One of the posts asks for testing volunteers.

 

Nice play. Let,s go for it.

 

ouch, still, is good that tzuk is a very active developer, getting on with testing.

 

wow this is rare news

 

not rare, poop happens and I really think we have only seen the tip of it. Another good reason to work with your vendor in fighting this crap. Only by doing so do you have a chance to have a win-win situation. Otherwise, it is going to be a cold ass winter.

 

is it me or do you change your tune on a daily basis trjam?
sorry to get off topic.

 

its pretty rare since u dont hear of TRUE breaches of sandboxie all that often...

 

well this is the first i have read about, its a shame that vulnerabilities arent so rare in windows OS's.

 

I'm sure the developer will figure this out, he always does.
Ice

 

true, tzuk does, but some folks should quit wrapping it in a silver liner. It has or can have, issues to.

 

Well, whatever this one turns out to be from a real Sandboxie vulnerability to possible misconfiguration or OS vulnerability, it shouldn't be too surprising or shocking to anyone. It's very difficult to code perfect software that has no flaws of any kind. And the more popular a software becomes, the more likely it is that those flaws are found either accidentally or on purpose by someone who has some reason to be interested in looking for them.

Well, one might want to consider the fact that a full operating system like Windows is orders of magnitude more complex than Sandboxie and has boatloads more features. So, it would be genuinely amazing if an operating system would have as few vulnerabilities as a far, far simpler software. There's also that the amount of vulnerabilities that have been discovered and reported in public really doesn't automatically equal the number of vulnerabilities that truly exist in a software - there are most likely many flaws that just haven't gotten public yet. Not a second goes by in the world without someone working on finding vulnerabilities in something as popular as Windows. On the other hand, some far more rare software can exist for days, months and even years without anyone except the author seriously looking for vulnerabilities in them. Most of the people who are searching for vulnerabilities aren't looking for them in something like Sandboxie. They're looking for flaws in popular operating systems, server software, browsers and the like.

 

Does this malware also bypasse Defensewall and GesWall?

 

This is why I will always use a strong firewall.

 

SBIE latest beta - bypassed
GesWall- intact( malware will not run as installer stops).

 

Nice piece of malware but still unable to run with Sandboxie's start/run access settings in place.

 

Thanks Aigle for testing it with Geswall

I suppose we can assume that defensewall will also have no problem stopping it

 

For the exploit to work the Windows XP spooler service must be set at manual and not started at the time of install.

If spooler service is set at default and has started there is no exploit, or at least that's how I think it works.

With Geswall or Defensewall are you able to grab any droppers?

 

Hi ssj/Franklin,

which rule(s) will stop this exploit?

 

Thank you ssj. That's what I thought, so what I want to get at is this: isn't this no different than denying a program from running with a HIPS or similar anti-executable program, as well as UAC or SRP, for example? Even you said earlier in this thread a test is only valid if the executable is allowed to run, as I also advocate this condition when testing I don't know about you and others who use SB, but I have used it to launch suspect executables in it to view their behavior, looking for suspicious activity in the process, all the while expecting SB to fully contain the executable activity. Otherwise, I agree with this step 2 configuration for preventing unexpected file activity.

 

and most others security apparatus too can be pretty effective if configured correctly....the key word though is "if"

 

No arguments here, and right about properly configured Sandboxie bullet proof against stopping the unexpected . I'm still using Virtualbox running my Sandboxied browser within it. This VB program is awesome. I love the ability of reverting to a previous snapshot at the drop of a dime

 

now thats akin to hunting a lion in a zoo...chained and sedated poor caged malware it can't run...phone a friend and has its rights dropped

 

I thought about that but it only works if I run as admin in my host O/S, so a kind of catch 22. I prefer to run as I do because the host is bolstered against possible - although I'd say highly unlikely - leaks, because it is LUA/SRP. I know Franklin will love this last part

Aww heck, who cares. This playing around using different ideas for security is a great learning experience and, I'll admit in my case, a kind of addictive hobby I'd be too embarrassed to convey the number of licenses I own for security software I haven't used in ages but all the same I'm happy to support developers of worthy products.

 

Franklin Said:
"For the exploit to work the Windows XP spooler service must be set at manual and not started at the time of install."

I not only have my Firefox browser sandbox configured to allow only
internet access to Firefox,but also to only allow firefox to start in the sandbox.
As part of my "cut the fat" regime,I have Print Spooler Service disabled as I do not need it.
So where is "disabled" in terms of thwarting this malware?

 

If spooler is set to disabled then there is no exploit.

If spooler is at default auto and running there is no exploit.

If spooler is set at manual and running there is no exploit.

If spooler is set at manual and not running then there seems to be an exploit.

If spooler is set at manual and not running with start/run restrictions in place then there is no exploit.