Chrome, Edge, Safari hacked at elite Chinese hacking contest November 17, 2019 https://www.zdnet.com/article/chrome-edge-safari-hacked-at-elite-chinese-hacking-contest/ Spoiler: Day 1 Of the successful sessions, Tianfu Cup organizers reported successful hacks of: (3 successful exploits) Microsoft Edge (the old version based on the EdgeHTML engine, not the new Chromium version) [tweet] (2) Chrome hacks [tweet] (1) Safari [tweet] (1) Office 365 [tweet, tweet] (2) Adobe PDF Reader [tweet] (3) D-Link DIR-878 router [tweet] (1) qemu-kvm + Ubuntu [tweet, tweet] Spoiler: Day 2 The seven successful exploits targeted: (4) D-Link DIR-878 [tweet] (2) Adobe PDF Reader [tweet] (1) VMWare Workstation [tweet, tweet]
Zero-Day Exploits Earn Hackers Over $500K at Chinese Competition November 18, 2019 https://www.securityweek.com/zero-day-exploits-earn-hackers-over-500k-chinese-competition
LOL, they could even hack Chrome and I assume they could escape the sandbox. I bet those guys who told that you didn't need Sandboxie to protect Chrome feel real dumb now.
If Chrome couldn't be hacked, then there probably wouldn't be any point to report security vulnerabilities and update the browser.
Where are the details of how they succeeded with the exploit on Chrome? Are you sure Sandboxie is needed to protect Chrome? That’s a rather bold assertion you make.
No it's not about that. As I have said numerous of times, you can also use tools like AV and AE to protect the browsers. But I remember that a lot of people believe that you don't need Sandboxie anymore because browsers like Chrome, Edge and Firefox have their own sandboxes. I believe this isn't true. And I'm not sure if these Chinese hackers used kernel exploits or not, but in theory you can break out of the sandbox without them.
Right, and I was one of those who believe using Sandboxie with Chrome or any Chrome-based browser is unnecessary, although I didn't state the same with Firefox. But I also did not say that the Chrome sandbox alone will provide absolute security. The trouble with Sandboxie, as well as Chrome and Chrome-based browsers, is it harnesses usermode hooks, so this type of secuirty provides, as I read recently in a technical article somewhere, only a partial fence running the perimeter of the yard, so the dog could still find a way to escape. Their sandboxes are very good, but they don't provide the same level of security that kernel mode security can provide, which is why augmenting with one of or a combination of AV, behavior blocker, HIPS, anti-executable, SRP, Applocker, script blocking extension, ...etc, is probably a good idea. I suppose Sandboxie could be another way too, but look at what's happening for quite some time now where with every major Windows update, something in Sandboxie seems to break, and based on several posts in these forums, a lot of people are having issues using Sandboxie with Chrome, so that compounds the problems.
VMware Patches ESXi Vulnerability That Earned Hacker $200,000 December 6, 2019 https://www.securityweek.com/vmware-patches-esxi-vulnerability-earned-hacker-200000
It's purely a technical discussion. If you use anti-exploit software then of course you don't need necessarily need a tool like Sandboxie. But it's a fact that if Chrome or Firefox get hacked, Sandboxie running on top might still be able to contain the malware, because of its virtualization capabilities. It virtualizes the file system, registry and interprocess communications. So a bypass of the Chrome or Firefox sandbox, isn't automatically a bypass of Sandboxie. You need to find specific holes in Sandboxie in orde to bypass it.
That's another discussion of course. We all know that future development of Sandboxie is uncertain. But to be honest, I never had any problems lately. I didn't even have to update Sandboxie and newer versions of Vivaldi kept working. But I'm still using Win 8.1, this probably also plays a role.