InformAction Forums

Posted: **Tue May 15, 2012 7:39 am**

(Split from Forum Extras > Security, "Flash Player sandboxing is coming to Firefox", when the discussion went beyond the Flash Player feature itself, and into comparisons of effectiveness of various security measures, including comparing different OS, and then into the areas of multi-boot, booting from a flash drive, etc. ... all interesting, but O/T. -- Tom T.)

Hungry Man wrote:Vista/7 already have a stronger sandbox built in (integrity levels)...

In which case, wouldn't it be even more important to put the more-secure Flash on XP?

and it would likely be a whole other sandbox project for XP, which already is insecure and a sandbox isn't really going to change that.

XP has been vetted by hackers, good and bad, for almost eleven years, something no other OS from MS can say. (None has been supported for that long.)

It was Swiss cheese at first, but look at the recent Patch Tuesday updates: *None* unique to XP, while a couple applied to V/7. The ones that did apply to XP (and V/7) were .NET-related, and other components that are not OS core (required) components.
Similarly in previous months, although not 100% of course.

Bad guys tend to target new (anything), because the new one is usually the one with the most undiscovered flaws.

btw, XP still has 4x the market share of Vista.

Posted: **Wed May 16, 2012 1:39 am**

7's framework is solid and ironically based in large parts on Vista. It does use virtualization and "sandboxing" (I hate how ambiguous that term really is) under UAC, which of course people bitch about. One the one hand they want more secure, on the other they want easy. So you want easy (aka XP) and less secure or you want more secure (aka 7) but less "friendly" dealing with UAC. How is UAC any different than NS behavior, think about it? You need to tell NS to allow JS or not per site, UAC, you need to decide to allow execution per program or not, what's the big deal?

Posted: **Wed May 16, 2012 4:39 am**

We can call it MAC or MIAC if you don't like sandboxing? It's just a "catch all term" for different access controls.

@Tom,

In which case, wouldn't it be even more important to put the more-secure Flash on XP?

Eh. On XP there's no SEHOP or ASLR. That's kind of a big issue and sandboxing won't help. So while a sandbox would absolutely raise the cost (you need 1 exploit to get in, another to escalate/ escape) the initial cost is so low that I don't think it's so important. Flash's sandbox on Chrome also isn't super powerful without PPAPI, which Firefox does not support.

XP has been vetted by hackers, good and bad, for almost eleven years, something no other OS from MS can say. (None has been supported for that long.)

I mean, sure, it's been vetted in that hackers have been killing it for a decade now. But it's not like anything has changed since SP1/2 in terms of security. Just patches to vulnerabilities that will always exist.

The biggest change in XP's security has been Microsoft's time to patch drastically improving.

It was Swiss cheese at first, but look at the recent Patch Tuesday updates: *None* unique to XP, while a couple applied to V/7. The ones that did apply to XP (and V/7) were .NET-related, and other components that are not OS core (required) components.

Backwards compatibility = cross-OS exploits.

Bad guys tend to target new (anything), because the new one is usually the one with the most undiscovered flaws.

Bad guys go after market share and easy targets. XP has large market share and it's an easy target.

Of course, Flash has a much larger market share. Java probably does as well.

@Guardian,

UAC and the Windows sandbox are connected but you don't need one for the other. I can set an explicit low integrity on a program and turn UAC off and nothing will change.

Both UAC and NS rely on a lot of user-based decisions, which is why I'm not a big fan of NoScript-like solutions.

Posted: **Wed May 16, 2012 5:05 am**

Hungry Man wrote: <snip>Both UAC and NS rely on a lot of user-based decisions, which is why I'm not a big fan of NoScript-like solutions.

The script-blocking part, at least. Presumably you're very much in favor of ClearClick, XSS protection, etc?

Personally I'm a big fan of default deny, but I recognise that that doesn't appeal to most of the people I know. However, I still disliked the little I've seen of UAC (at least the original incarnation), because it was very in-your-face, prompted too often when doing normal things, and sometimes failed to prompt when a program needed permissions, causing errors later. The *nix approach of using sudo works more smoothly, maybe just because it's older and more finely tuned.

Posted: **Wed May 16, 2012 6:22 am**

I don't know the details of NoScripts XSS protection. I mean, of course, XSS protection is a great thing I'm just not sure if I prefer it to how Firefox would handle it natively because I know little about how either policies work.

Clearclick is pretty cool.

UAC is ok just like GSudo is ok. Either way you get a popup saying "Hey, give me access to stuff." The main difference is that...

Windows: If I run a low integrity program and it asks for Admin rights it's now high integrity.

Linux: If I run a user program and it asks for Admin rights I can give it those rights but still restrict it through chroot jail or LSM.

More on topic, I think it will be interesting to see how this effects the threat landscape. Right now Java is statistically the most exploited program but Flash is in second. I expect Java to increase drastically (Java 7 is coming out and does not remove Java 6, meaning users will have two Javas installed if they don't know to remove the old version) as Flash exploit cost is driven up drastically.

Posted: **Wed May 16, 2012 7:31 am**

Eh. On XP there's no SEHOP or ASLR.

Search the web for "ASLR bypass". Tons of results. The first was discovered within a few months after Vista's release, IIRC.

That's kind of a big issue and sandboxing won't help.

A well-constructed third-party sandboxing program can add a great deal to your overall defense-in-depth.
A few hours ago, a friend complained about the behavior of an installer. So I ran the installer inside Sandboxie, to observe said behavior, then closed the sandbox, which empties it and leaves no traces behind.

XP has been vetted by hackers, good and bad, for almost eleven years, something no other OS from MS can say. (None has been supported for that long.)

I mean, sure, it's been vetted in that hackers have been killing it for a decade now. But it's not like anything has changed since SP1/2 in terms of security. Just patches to vulnerabilities that will always exist.

Did you not read what I said? Click the links yourself -- the number of serious security issues in XP has been declining over time. Which is what one would expect.

It was Swiss cheese at first, but look at the recent Patch Tuesday updates: *None* unique to XP, while a couple applied to V/7. The ones that did apply to XP (and V/7) were .NET-related, and other components that are not OS core (required) components.

Backwards compatibility = cross-OS exploits.

You're talking about forward compatibility. Back-comp means that on XP, I can run an app from Win 98. Or on Win 7, I can run XP apps (and possibly exploits). You're talking about an exploit (app) written for a future version, not a previous one. XP doesn't have a compatibility mode for Vista/7 programs.

If the above is not true, then why did MS, publicly and at risk of considerable embarrassment, declare that these vulns applied only to Vista/7?

They may attack libraries or components that XP *doesn't have*.

Bad guys tend to target new (anything), because the new one is usually the one with the most undiscovered flaws.

Bad guys go after market share and easy targets. XP has large market share and it's an easy target.

And yet, there are few new critical exploits for it, as said above.
Go ahead, attack me. It's a Federal crime, a felony, but so long as it's totally benign, I agree not to press charges. (but no such waiver if you cause any harm, either to the system or to me. Make a pop-up that says "Pwned!", but does *nothing else*.)

Both UAC and NS rely on a lot of user-based decisions, which is why I'm not a big fan of NoScript-like solutions.

As opposed to the vendor making decisions for the user?

What do you have that's as effective as NS, but requires substantially fewer decisions?

I don't know the details of NoScripts XSS protection

Then should you be criticizing NS? Here, I'll point you right there: XSS FAQ

AFAIK, Firefox does not presently have XSS protection (in stable releases), and IE's attempts at XSS protection were a joke, actually introducing new XSS vulns in IE.

Whereas NS XSS protection has been vetted, refined, and tweaked for more than five years now.

Posted: **Wed May 16, 2012 8:13 am**

Search the web for "ASLR bypass". Tons of results. The first was discovered within a few months after Vista's release, IIRC.

I know plenty about bypassing ASLR. The "bypasses" you'll find on Google are virtually all due to poor implementations. To example, ASLR attempts to stop return oriented programming attacks where the hacker will use a programs own code (gadgets) to execute what they want. If they can't find the code they can't use it. These "bypasses" are ironically just examples of ASLR not being implemented - it's applied to some areas of address space but not others.

DEP without ASLR is literally useless. (1) A program can turn DEP off while running. (2) ROP.

The bypass for Vista that I believe you're referring to has to do with part of the address space not being randomized properly.

Regardless, ASLR makes things more difficult. There will always be areas of the (current) OS that are static (by necessity) but not all code is ROP-able (there are gadgetless binaries.)

A well-constructed third-party sandboxing program can add a great deal to your overall defense-in-depth.
A few hours ago, a friend complained about the behavior of an installer. So I ran the installer inside Sandboxie, to observe said behavior, then closed the sandbox, which empties it and leaves no traces behind.

Sure. But if that installer were malicious and made use of a local kernel exploit you'd be screwed. Of course it would have to work within the sandbox. Because Sandboxie is rare you won't see exploits target it - Flash is not rare and exploits most certainly will be made for the sandbox (though, as I said, Java exploits will simply rise since the cost of exploitation is far lower - Java is slow to patch and does not make use of ASLR, JIT also opens up the program to a whole new area of exploitation due to necessity of executable code.)

id you not read what I said? Click the links yourself -- the number of serious security issues in XP has been declining over time. Which is what one would expect.

Which is due to its market share also decreasing and due to programs like flash and java being much easier targets.

Not sure what you're arguing here?

And yet, there are few new critical exploits for it, as said above.
Go ahead, attack me. It's a Federal crime, a felony, but so long as it's totally benign, I agree not to press charges. (but no such waiver if you cause any harm, either to the system or to me. Make a pop-up that says "Pwned!", but does *nothing else*.)

The logic here is "Hungry Man can't hack me so I'm secure" ? lol come on now.

As opposed to the vendor making decisions for the user?

Sorta.

What do you have that's as effective as NS, but requires substantially fewer decisions?

Well, for one thing every browser comes with an XSS auditor. The difference being that browsers have to put compatibility first whereas NoScript obviously does not.

There aren't that many great programs out there so I wouldn't really recommend any of them. I like a good sandbox but a sandbox doesn't address the issues that NoScript does. I think NoScript works very well for what it tries to do I just personally would implement it differently - though I won't go into that because -edit: not worth really mentioning-

Then should you be criticizing NS? Here, I'll point you right there: XSS FAQ

My criticism was not of XSS filtering in NS or Firefox.

AFAIK, Firefox does not presently have XSS protection (in stable releases), and IE's attempts at XSS protection were a joke, actually introducing new XSS vulns in IE.

Firefox does or at least I would hope so. IE did have a hilarious mishap way back but that's been solved.

Posted: **Wed May 16, 2012 9:01 am**

Not going to debate the whole thing, but just one point.

Hungry Man wrote:
id you not read what I said? Click the links yourself -- the number of serious security issues in XP has been declining over time. Which is what one would expect.
Which is due to its market share also decreasing and due to programs like flash and java being much easier targets.

Again, did you not read what I said: that XP has 4x the market share of Vista? And that V is declining, while XP remains popular. Other sources than the above show a greater advantage to XP vs. Vista.

And XP seems to have as much market share as all non-Windows systems combined.

Not sure what you're arguing here?

That you said the declining number of flaws found in XP is due to its declining market share. The above refute that decline, vs. Vista or the rest of the universe. And interesting that in a previous post, you said that hackers go after XP because "XP has large market share".

You can't have it both ways. They go after it because it has a large market share, but fewer flaws are found because its market share is decining?
Self-contradictory.

Posted: **Wed May 16, 2012 9:29 am**

Again, did you not read what I said: that XP has 4x the market share of Vista? And that V is declining, while XP remains popular. Other sources than the above show a greater advantage to XP vs. Vista.

And XP seems to have as much market share as all non-Windows systems combined.

Who cares about Vista? I don't really get why you're talking about it. Windows 7 alone has a larger market share than XP and combined with Vista (which has virtually the same kernel) it's go nearly double the market share.

https://en.wikipedia.org/wiki/File:Wiki ... _chart.png

So, yes, exploits are targeting Vista and 7 (again, these are nearly identical operating systems in terms of security and in general) more than XP.

That you said the declining number of flaws found in XP is due to its declining market share. The above refute that decline, vs. Vista or the rest of the universe. And interesting that in a previous post, you said that hackers go after XP because "XP has large market share".

They go after XP because it has a large market share and it doesn't make use of the latest technologies. It's not what it used to be but even a year ago XP was a hugely popular OS. Of course, in reality, they don't go after XP. They go after Java and Flash and Reader - they're cheaper. But aren't you interested in Defense in Depth?

Not even sure what we're arguing about at this point so I'll simply make a few points:
1) XP is less secure than Vista/7 - it lacks SEHOP and ASLR and it doesn't have the same access control devices as Vista and 7. One nice big change that came along with integrity access control was a proper solution to: https://en.wikipedia.org/wiki/Shatter_attack but there are many many nice things about it (though in reality it is not a great solution and 8 will improve this significantly.)

2) A sandbox over crappy software is nice but you can not just forget about technology and try to supplement with policy. It's nice that Adobe has been trying to make use of both though as their Vista and 7 versions make use of ASLR to a half-decent extent.

3) It is understandable that Adobe is not investing time into sandboxing on XP because XP is already lacking security technologies like ASLR and DEP.

All I'm trying to say.

What I'm not trying to say...

1) You will be hacked if you use XP.

Hope that clears it up? Not trying to argue about anything. I posted about the sandbox because I figured you'd all like to know about it. I just think it's understandable that Adobe isn't supporting XP in this.

Posted: **Wed May 16, 2012 9:17 pm**

Hungry Man wrote:We can call it MAC or MIAC if you don't like sandboxing? It's just a "catch all term" for different access controls.

Works for me.

@Guardian,

UAC and the Windows sandbox are connected but you don't need one for the other. I can set an explicit low integrity on a program and turn UAC off and nothing will change.

Both UAC and NS rely on a lot of user-based decisions, which is why I'm not a big fan of NoScript-like solutions.

I know it was a catch-all reply if you will without going into too much detail or getting overly technical. Exactly, your weak link is ALWAYS going to be the user, no way around that, but depends on the user base. If your users are savvy and KNOW (not just think they know) then its a good system, if you are dealing with idiots (excuse the catch all phrase) then you need policy level decisions instead and NS system I am not a fan either, but then again you become limited by the intelligence and savvy and experience and expertise of the guy who is setting the policy, let's hope he's not an idiot user him/herself.

Posted: **Thu May 17, 2012 12:51 am**

What I've found is that everyone is an idiot sometimes, just some more often than others. But I agree that it's still useful as a tool in the right hands.

Posted: **Thu May 17, 2012 6:36 am**

Hungry Man wrote:3) It is understandable that Adobe is not investing time into sandboxing on XP because XP is already lacking security technologies like ASLR and DEP.

Now you're losing credibility. Not going to bother with a screenshot, but copied from boot.ini:

Code: Select all

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

XP has DEP.

Posted: **Thu May 17, 2012 8:06 am**

Yes, sorry, I meant ASLR and SEHOP/ SafeSEH.

https://blogs.technet.com/b/srd/archive ... ected=true

Since this publication, the SEH overwrite technique has become a standard weapon in an attacker’s arsenal. Roughly 20% of the exploits included in the latest version of the Metasploit framework make use of the SEH overwrite technique. SEH overwrites are also commonly used by exploits that target the increasing number of browser-based vulnerabilities[4].

edit: And while saying that DEP was missing was absolutely incorrect (must have been tired) it's probably worth noting that DEP is pretty useless without ASLR.

Posted: **Thu May 17, 2012 2:48 pm**

Oh, I'm only guessing, On the effectiveness of DEP and ASLR ?

Posted: **Thu May 17, 2012 3:27 pm**

This'll be simplified.

DEP aims to separate code from data (in terms of segregating rights by preventing areas of address space that can be written to from also being executable) in order to prevent an attacker from simply sending you data and executing it as code (kinda like if I posted Javascript here and your browser ran it... sorta.)

This is awesome. It's one of those really fundamental things - separation of code and data.

It's also easily bypassable. An attacker doesn't need to load up the executable code when there's already code from the exploited program ready for use.

The attacker knows where the executable areas of address space are so they just use the code that's there to do what they want.

ASLR randomizes the address space so taht the attacker doesn't know where the code is. Without DEP they can just load up the code and execute it regardless of DEP. With both DEP and ASLR they have to either bruteforce their way into a known area or make use of information leaks. Typically the "bypass" is done throuhg an area that is static ie: not loaded with ASLR. Even if 99% of the code is randomized you can still perform an attack with that last bit.

The combination of these two techniques drives up the cost of exploits quite a bit.

So if you'r eon XP you're missing out on ASLR and therefor exploiting applications is much easier. You're also missing out on SafeSEH/SEHOP and privilege escalation is practically built into the OS.

So, it's fairly clear that XP is seriously lacking in technology.

The other part of security is policy. So to make up for this deficit of technology a user can implement strict (and often overbearing) policies in an attempt to even it all out.

So... Adobe can't make use of the technology and Flash's security is already seriously crippled. Privilege escalation in XP is much easier than Vista/7.

Do you think enforcing policy will really do the trick? It would have to be incredibly strict to be useful. PPAPI might allow for this, NPAPI doesn't, ergo an XP Flash sandbox is not worth Adobe's time.

InformAction Forums

Various safety measures, OS comparisons, multi-boot, Flash b

Various safety measures, OS comparisons, multi-boot, Flash b

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox

Re: Flash Player sandboxing is coming to Firefox