Virtualization, sandboxing, and everything in between

[computerfreaker]

...Sure, a sandbox offers some level of protection. But it won't cover everything - what about the legit app that gets hacked? (There was actually a fairly-well-publicized case of this a few years ago - a legit Fx addon got hacked and shipped with malware. The addon author, who was completely innocent, didn't find out until 30,000 people had already downloaded it...)

*Nothing* covers *everything*. Hence the concept of "defense in depth". We'd hope that AV would flag the hacked app, although the confidence level in AV has dropped a good bit via this thread. But that is what our AV is supposed to be for.

True. But AV clearly needs some major help, so the OS needs to step up...

If the add-on came through the Firefox Add-ons HTTPS secure connection, it almost sounds like an inside job (somebody at MZ).

IDR where that addon came from... I read that story a few years ago, and my memory is a bit foggy on it.

Don't know what that particular malware did, but since NS blocked the innoshot code from running, there's another part of defense in depth. The malware loaded, but couldn't execute -- and NS alerted the user to it. Of course, other types of malware don't depend on scripting or other things detected by NS.

yes, NS is an important part of defense...

I think sandboxing needs to come from the OS - I'll drop a new post in Security about this. (We've already had 2 topic splits, I don't see the need to generate a 3rd... )

Seems like we're almost back to running a virtual machine.

Maybe. It would offer a lot of protection, but it burns out computers pretty quickly... (I know from personal experience)

IE 8 in Protected Mode is said to limit the browser's ability to make system-wide changes, but plenty of harm can be done right inside the browser.

IE 8... regardless of how much it limits system-wide changes, it's still IE and it's still broken. (Mr. Maone's blog post about IE 8's broken XSS filter is a prime example of this)

My turn to sound like a broken record: Sandboxie Portable is better, since it comes from PortableApps.com...

That's either an advertisement or a non sequitur. I'm aware of your personal situation, and that's fine. I do find that installs on the HD run faster, but if your only option is portable, cool. Still doesn't change the fact that one form or another of sandboxing or virtualization can be an important part of "defense in depth". Cheers.

Well, portable isn't really my only option, but it's close enough... sorry about that OT/ad statement, I claim a great love for PA.c as my sole defense. (Want me to delete that OT statement from my post?)

I think virtualization is probably a better solution than sandboxing, since virtualization (if properly done) essentially gives you a "throw-away" computer - sandboxing won't work for all apps for various reasons.

[Tom T.]

Seems like we're almost back to running a virtual machine

Maybe. It would offer a lot of protection, but it burns out computers pretty quickly... (I know from personal experience) <big snip> ...
I think virtualization is probably a better solution than sandboxing.

Make up your mind!

IE 8 in Protected Mode is said to limit the browser's ability to make system-wide changes, but plenty of harm can be done right inside the browser.

IE 8... regardless of how much it limits system-wide changes, it's still IE and it's still broken. (Mr. Maone's blog post about IE 8's broken XSS filter is a prime example of this)

Oh, definitely. It was just a reference to another attempt to provide *some* isolation between the Web-facing browser and the system, however well or poorly executed. At least they're starting to acknowledge the issue, vs. the historical tight integration of IE and the OS. I'm not recommending IE, trust me.

My turn to sound like a broken record: Sandboxie Portable is better, since it comes from PortableApps.com...

That's either an advertisement or a non sequitur. I'm aware of your personal situation, and that's fine. I do find that installs on the HD run faster, but if your only option is portable, cool. Still doesn't change the fact that one form or another of sandboxing or virtualization can be an important part of "defense in depth". Cheers.

Well, portable isn't really my only option, but it's close enough... sorry about that OT/ad statement, I claim a great love for PA.c as my sole defense. (Want me to delete that OT statement from my post?)

Not necessary, because it does call attention to a viable option for others who, for whatever reason, cannot install it on the machine. And it's not so spammy since it's freeware, in the *not-quite-totally-portable* version. (it installs and uninstalls SB and its driver to the machine, per the dev and in accordance with the SB dev's wishes, and leaves Reg entries, at least until a reboot).

I think virtualization is probably a better solution than sandboxing, since virtualization (if properly done) essentially gives you a "throw-away" computer - sandboxing won't work for all apps for various reasons.

Name two.

Unless we're talking about core services like AV and firewall, there are very few apps that can't be run sandboxed. I just created an Open Office document *inside* the sandbox, with the option to move it out whenever I might think it safe to do so. More important is that you can open any document, media file, etc. with the app sandboxed (right-click > Run Sandboxed), a nice way to play it safe with audiovisual files or documents that you don't trust 100% (since our AVs are failing us )

And yes, I think we're getting very close to another topic split....

[computerfreaker]

Seems like we're almost back to running a virtual machine

Maybe. It would offer a lot of protection, but it burns out computers pretty quickly... (I know from personal experience) <big snip> ...
I think virtualization is probably a better solution than sandboxing.

Make up your mind!

I personally prefer virtualization, but it's not always an option... for example, on low-end computers.

IE 8 in Protected Mode is said to limit the browser's ability to make system-wide changes, but plenty of harm can be done right inside the browser.

IE 8... regardless of how much it limits system-wide changes, it's still IE and it's still broken. (Mr. Maone's blog post about IE 8's broken XSS filter is a prime example of this)

Oh, definitely. It was just a reference to another attempt to provide *some* isolation between the Web-facing browser and the system, however well or poorly executed. At least they're starting to acknowledge the issue, vs. the historical tight integration of IE and the OS. I'm not recommending IE, trust me.

I'm sure you're not recommending IE (:lol:), but I was just pointing out its serious problems...
You're right about MS's attempt to decouple IE from Windows - IIRC, IE can be removed from Windows in Windows 7. Pretty new development... and a nice one.

My turn to sound like a broken record: Sandboxie Portable is better, since it comes from PortableApps.com...

That's either an advertisement or a non sequitur. I'm aware of your personal situation, and that's fine. I do find that installs on the HD run faster, but if your only option is portable, cool. Still doesn't change the fact that one form or another of sandboxing or virtualization can be an important part of "defense in depth". Cheers.

Well, portable isn't really my only option, but it's close enough... sorry about that OT/ad statement, I claim a great love for PA.c as my sole defense. (Want me to delete that OT statement from my post?)

Not necessary, because it does call attention to a viable option for others who, for whatever reason, cannot install it on the machine. And it's not so spammy since it's freeware, in the *not-quite-totally-portable* version. (it installs and uninstalls SB and its driver to the machine, per the dev and in accordance with the SB dev's wishes, and leaves Reg entries, at least until a reboot).

OK, I'll leave that there. My apologies again, I don't want to be spamming for anyone, even PA.c...

I think virtualization is probably a better solution than sandboxing, since virtualization (if properly done) essentially gives you a "throw-away" computer - sandboxing won't work for all apps for various reasons.

Name two.

APIViewer 2004 won't work (persistently crashes, esp. during copy & paste operations), and I've heard (haven't actually tried it myself) that Adobe products give all kinds of grief in the sandbox... Most apps behave well in the sandbox, but not all of them.

Unless we're talking about core services like AV and firewall, there are very few apps that can't be run sandboxed. I just created an Open Office document *inside* the sandbox, with the option to move it out whenever I might think it safe to do so. More important is that you can open any document, media file, etc. with the app sandboxed (right-click > Run Sandboxed), a nice way to play it safe with audiovisual files or documents that you don't trust 100% (since our AVs are failing us )

yes, that's a pretty nice feature of the sandbox... virtual machines can do that too, just not quite so easily. (The HDD <-> virtual HDD connection is especially hard to do securely)

And yes, I think we're getting very close to another topic split....

Agreed.

Back on-topic, I haven't gotten a reply from Google or Yahoo about the Goored infection - it might be time for someone else to take a shot at reaching them, given it's been around a week now...

[Tom T.]

...You're right about MS's attempt to decouple IE from Windows - IIRC, IE can be removed from Windows in Windows 7. Pretty new development... and a nice one.

Under pressure from the lawsuit by the EU charging MS with monopolistic behavior, including bundling IE *and making it impossible to remove*. IIUC, they will also have to offer other browsers by default, OOB, at least in the EU. That will probably up the Fx usage stats.

Back on-topic, I haven't gotten a reply from Google or Yahoo about the Goored infection - it might be time for someone else to take a shot at reaching them, given it's been around a week now...

"On topic"? We moved these here because they were *off-topic* to the Goored infection. So this post could actually have gone in the original thread, but don't worry about it.

Given the long holiday weekend, and that the target sites are generally US-based, I doubt anything will happen -- skeleton staffs only, I'd guess. If you've received nothing by late Monday (considering that Google and Yahoo are based in the Pacific time zone), then either post or PM me, and I'll give it a shot.

Doesn't look very good that they seem to be ignoring your inquiry. I'll include my position here, in the hopes that that will get their attention. Thanks for trying.

[computerfreaker]

...You're right about MS's attempt to decouple IE from Windows - IIRC, IE can be removed from Windows in Windows 7. Pretty new development... and a nice one.

Under pressure from the lawsuit by the EU charging MS with monopolistic behavior, including bundling IE *and making it impossible to remove*.

About time somebody stood up to MS and laid down the rules.

IIUC, they will also have to offer other browsers by default, OOB, at least in the EU. That will probably up the Fx usage stats.

Sweet revenge for Mozilla...

Back on-topic, I haven't gotten a reply from Google or Yahoo about the Goored infection - it might be time for someone else to take a shot at reaching them, given it's been around a week now...

"On topic"? We moved these here because they were *off-topic* to the Goored infection. So this post could actually have gone in the original thread, but don't worry about it.

That post actually was in the original thread...
(It got moved here when the topic split)

Given the long holiday weekend, and that the target sites are generally US-based, I doubt anything will happen -- skeleton staffs only, I'd guess. If you've received nothing by late Monday (considering that Google and Yahoo are based in the Pacific time zone), then either post or PM me, and I'll give it a shot.

OK, will do. However, the long holiday weekend won't explain everything - I sent them an e-mail last Saturday. Surely somebody would have been in the office Monday, Tuesday and Wednesday... (and maybe a few people on Saturday & Sunday, too?)

Doesn't look very good that they seem to be ignoring your inquiry. I'll include my position here, in the hopes that that will get their attention. Thanks for trying.

Well, let's not get too strong-armed yet... I'm still hoping for a reply from them.
Figure we'll give them until Monday, then you take a shot... if they don't reply to you in 2 weeks, then it's time to get public. Just MHO...