Sandboxie and Java

Discussion in 'sandboxing & virtualization' started by Page42, Jun 17, 2011.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I'd like some opinions and advice from my fellow Wilders Sandboxie users.

    Last night I wanted to view the eagle, falcon and osprey cams on this site --> http://briloon.org/.
    In Sandboxie, I had to give Internet Access and Start/Run Access to java.exe in order to view the cams.

    I did so, and was able to view the cams.

    My question is, does anyone think that there is a problem with doing that?

    I say there isn't. The way I see it, even with "unprecedented waves of attacks exploiting vulnerabilities in Oracle's Java software" (according to Microsoft in Oct.2010), anything bad happening is taking place in a sandbox, and it disappears when I close the browser.

    So temporarily granting java.exe Internet Access and Start/Run Access was not dangerous, nor was I "lowering" my defenses in any manner.

    Agree/disagree? Thoughts? Thank you.

    (FWIW, I am running Java Version 6 Update 26.)
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    You're in Sandboxie, don't worry over it. If it wasn't for me not having the first clue how to tell if something is malicious or not, I'd have Sandboxie and that's it. No AV, no white lists, no srp/applocker, or any of that stuff. You'll be fine, just empty the sandbox when you're done (if it isn't on auto).
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Auto delete, dw. :)
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    You're good to go then, imho.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Also keeping it updated and EMET hardened helps. Almost all Java exploits are on out-dated versions.
     
  6. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    No need to worry,period. Everything is dumped after you close the browser.
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Hi page, java's activity took place inside the sandbox, isolated from the rest
    of your system. Any changes were gone when you deleted the sandbox. Just
    that simple. :)
    Java never touched your real system, files or registry. Be happy, my friend,
    you are using Sandboxie. Like you, I don't trust Java at all and got rid of
    it 2 years ago. I don't miss that thing at all.

    Bo
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Create a JAVA sandbox. Install JAVA into this sandbox. Allow only JAVA and your browser(s) to execute. Allow only your browser(s) to have outbound network access. I don't know if you can limit JAVA network access or not, as I have never tried.

    Don't autodelete this sandbox, only use it for these types of things you are doing where there is no account info being used. Go where you want, do what you want. If you ever navigate to a website you would not want JAVA to interact with, do it in another sandbox.

    This allows JAVA to be installed into a contained environment, and allows it to persist as long as you like. It keeps your system clean of JAVA, yet still allows you to use it when you need for "safe and mundane" purposes. If an exploit ever takes place, the attacker will know you have gone to watch birds. Keyloggers and other downloaded binaries should not be able to start, so your only fear is JAVA exploits. If really paranoid, limit where the sandbox can read. Lock it down as tight as you feel you need to, it is easy to do.

    Sul.

    EDIT: It is my belief that you should make as many sandboxes as you need. There is no reason not to do so other than not wanting to take the time to do so. Using multiple boxes allows you to micro-manage what goes on, and this is a really good example of how using multiple boxes can make your life easier once everything is configured.
     
  9. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Make sure your older versions of java are uninstalled
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hey Bo
    Remember Sandboxie's motto... Trust No Program.
    So let me ask you, since SBIE does such a thorough job of not letting Java touch your system, files or registry, why do you say, "I don't trust Java at all and got rid of it 2 years ago"? That is, isn't it okay to keep it around as long as it is sandboxed?
    Excellent points. :)
    That's the way I see it, Boost.
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hi Sul!
    Great advice and input... really worth studying and implicating EXCEPT I need to ask you, do you see problems with what I have described as the way I handled java.exe?

    I'm thinking you do see problems, or else you wouldn't be recommending these steps.

    Keeping in mind that I also have Drop Rights enabled in the IE sandbox where I have granted Internet Access and Start/Run Access to java.exe, would you proceed from that standpoint, and tell me what risks you think I face? :)
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    page, I have no use for Java at all since I don't need it for any program that
    I have, neither visit a website that requires it. In other words, why have it,
    if I don't use it.
    If you have a use for Java, I think Sully gave us a nice example of how to
    make a sandbox created for Java. I would do it like that.

    Bo
     
  13. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    Is this really necessary, a bit OTT ?


    This is totally impractible, when you have several family members using the machine,especially when I'm the only one who actually knows that java exists :D
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    IMHO you are fine the way you have desribed, and suggestions all seem fine as well. My suggestion is just how I would do it, if I were you, based upon the infos you gave.

    Sul.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    What do you mean OTT? I haven't seen that acronym.

    Is anything talked about around here really necessary?

    You do realize that many posts here request opinions and advice, correct? If you read something that seems to not fit yourself and your situation, either you should ignore it because it does not apply to you, or you should figure how you can "modify and adapt" it for your situation.

    Are you asking for help in how to make this work for your situation, or are you ridiculing advise given to a different situation by stating that it won't work for your situation? I don't see how this last statement fits in with the rest of this thread, sorry.

    Sul.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Think about it. You need Java, right? OK. What do you need it for? To view a website? OK. Whitelist Java for that website.

    This is what I do to relatives who do need Java (The IRS website and client application requires it.).

    I made them use Chromium (Not Google Chrome...). I have created a separate profile allowing Java only for the IRS website. Not only that, I've also restricted access to the IRS website only.

    There's also EMET.

    Doesn't Online Armor allow you this type of restriction? If you create such type of restrictions, why the trouble with sandboxing a Java install? Unless, you pretend to ditch it at some point, without leaving any traces behind.

    Hopefully, OA allows to restrict access by domain and not just IPs. lol

    I'm not saying Sully's approach isn't great, it is... This just shows there are different possibilities.
     
  17. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    Over the top

    Absolutely not
    Sorry for making you think that, I'm not trying to ridicule anyone, I realise you know far more about S.B and security than i ever will.
    The OP asked if allowing java to run diminished his security.
    I should have just given my opinion, and not commented on yours.
    I'm sure your advice is rock solid.
    I was trying to convey to the OP , that in my opinion, having a seperate SB for java, to me, is OTT, but thats for him to decide
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Ah, I had not seen that before.


    Thanks for clearing that up :)

    OTT. I wonder. The way I look at it, creating multiple sandboxes is a great way to fine tune what I do. If I only had one box, I would have to make that box work for everything. Maybe with a family computer that would be the easiest solution, I can certainly look at it that way having kids myself. Or maybe if the user is a novice, only one sandbox would be best.

    But, most of us here are not novice users. Some are more experienced than others I am sure. Our example is for those who understand what Java is, and may not really want to use it because they have no real need to.. normally. But as the OP has stated, a website was needing it, and in order to comply Java must be installed.

    Now, what is OTT here? Is it installing a known exploitable item like Java to the real OS, knowing any browser and/or any application that can use it now will, all for the sake of one or two websites that require it? Or is it segregating Java into a small confined environment, where it can do its thing, but can be controlled?

    It is not for me to decide for others what is OTT to them, thankfully. I use Java to interface to a few websites and most importantly to interface to my NAS boxes. I tend to make a sandbox now that houses Java rather than install it on the host OS. Like many others, I recognize it might pose a significant threat, so I take steps to control it primarily because I don't need it for 95% of what I do. But for the other 5%, it is very nice to have it available.

    Sul.
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hi Sul
    So what you're saying is, if the web site I am going to requires Java, I will see that it doesn't run properly in my "standard" IE sandbox (wherein java.exe is not allowed), and I will then revert to the JavaBox sandbox in order to view that particular page. That correct?

    As for not deleting the JavaBox, I am assuming that is because Java was installed in it, and that would eliminate Java. Isn't is desirable to delete contents of sandboxes so as to remove any malware/exploits that might be present? And doesn't that sort of run contrary to your plan... in other words, a user can't delete the sandbox because a program is installed in it, but in case the program has an exploitable vulnerability, it's best to delete the sandbox contents. :doubt:

    I'm doing my best to follow your logic... I'm not contesting it. :)

    And I do wholeheartedly agree that, as you've stated, "many posts here request opinions and advice". You're always very willing to help and explain your ideas and techniques, for which a great many of us are grateful. :thumb:
     
  20. lws

    lws Registered Member

    Joined:
    Aug 28, 2009
    Posts:
    196
    Like Page42 above is how I have/had java set up as well. But since reading Sully's post below...
    I am trying his setup with java that is make a separate sandbox for java. I also have the same question as Page which is .....
    Why not delete the java sandbox ??
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Because, then Java would be "uninstalled" as well, and you'd have to repeat the same process allover again, whenever xyz website or application needs Java. In other words, you'd always have to install Java in the sandbox.
     
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    That is what I mentioned a few posts back to Sully, m00nbl00d...
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you were to look at this in the terms of strict security, then yes, one would delete the Java sandbox.

    But, consider also the convenience aspect of things. My idea is structured around the fact that I don't want to always install java every time I need it. That is because I actually do use a few websites/features. So rather than need to install it when I need it, I create a sandbox dedicated to java, and apply a set of restrictions to it so that impact is minimalized, such as restricting what can run or have network access.

    If on the other hand you only need java 3 times a year, then it would make more sense to delete the contents, or just have a "testing" sandbox that you install it in rather than create a box just for java implications.

    We each have our own unique needs. When I find I am repeating something over and over, then I look to find a way to stop that. It is counter productive. In this case, I decided to create a sandbox just for java. Now I don't want to be insecure, so I make sure the only things I do in this sandbox are not going to be sensitive enough that if an exploit were to take place, I would regret it. It is common sense really, if you create this java environment, you make sure you don't do anything in there that is sensitive. I did not mention it, but in that sandbox I have java turned off except on select sites in the browser profile. Remember that profile and its options only exist within that sandbox as long as I don't delete the sandbox! So I end up with not having to reinstall java, not having to worry about which version it is on, because

    A. it is contained to within that sandbox
    B. the sandbox is restricted
    C. i have to manually start my browser within this 'special use' sandbox
    D. i set my browser to only allow java on whitelist basically
    E. i never use this box for any other purpose

    If all you do is create this java sandbox, don't delete its contents, and go to the bird watching website, what is really going to happen that is 'bad'? Why would you need to delete the contents? Not that you can't or that it is in general a good idea to do so, but where do your threats really come from in this situation? Other uses for such a setup may warrant deleting the contents from time to time. Only you can decide what you do within the java box, and whether or not you need to be worried. But for me, the whole point of doing it this way is so that I don't have to install it over and over, and I know that what I do in that specific box is mundane anyway.

    Does that help?

    Sul.
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hi m00nbl00d
    For one thing, I only run OA on one of my boxes, so any configuration such as you've described wouldn't work on the other machine.
    But more importantly, to the best of my knowledge, OA Free does not allow me to whitelist Java for a particular website.
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I'm aware of that. But, user lws asked why not delete the sandbox. That would be why. ;)

    Now, regarding if one should or shouldn't keep a sandbox, that depends on what the sandbox is all about and how much you care about it.

    But, let's imagine this:

    You visit a website that needs Java. Java gets exploited and whatever exploited Java injected itself into Java processes or even the browser process. Sandboxie won't prevent undesired connections from happening.

    Now, the real concern is what you do in the Java sandbox... isn't it? ;)
     
Loading...
Thread Status:
Not open for further replies.