Hello,
I am wondering if application virtualisation increases the security towards vulnerability of 0 day exploits.
I have searched the www but I don't find enough information.
http://stealthpuppy.com/dont-virtualize-adobe-reader-x/
is an example which shows that virtualisation could be counterproductive because the implemented sandbox of the application doesn't work anymore-> in this case Adobe Reader X.
Please can anyone tell details of the security of virtualised applications by Thinapp.
For example Adobe flash, Acrobat Reader and Microsoft Office can be virtualised. But what does it mean to security issues of this software. Can someone tell me if exploits can break out into the RAM of the system which runs the virtualised app? And than execute code which was injected by the exploit?
Thank You.
ThinApp is an application packaging product. It is not to be considered a security product. A ThinApp packaged application should be patch like any application packaged and deployed using other methods.
That said, the Isolation Modes do allow for some additional protection of your system. The harmful code can attack the application when it is running in memory but most likely the attack will be contained in the Sandbox and not affect the physical files on your clients. But again, this is more a side effect by virtualization and not a design implemented to offer security for harmful code.
Here's a couple blog posts on the topic of Isolation Modes, http://blogs.vmware.com/thinapp/isolation
Hello pbjork,
thank you for your answer. I got a similar answer from evalaze - a german virtualization software. A developer says the code which runs after the exploit is a child process which also runs in the sandbox.
If this is alway the case I would say the following:
With a virtualized App a vulnerability has absolutely zero chance to remain in the OS. But there are 2 assumptions: First the app will be closed periodically (no server process) and second the sandbox will be cleaned everytime the app is closed.
Please can anyone justify this and explain how the child process is established when the software is exploitet.
I would not say will never have a chance to infect the local OS. There is malicious code doing some funky stuff, not using the OS APIs to write to disk and such. So there is never any guarantees. But using application virtualization can be an extra layer of protection. Buy it is never to be your only security. No app. virt solution I'm aware of is to be considered a security product.
Hello pbjork,
thank you for the answer. But it doesn't satisfy me. I will investigate further. I think here are no experts of exploits. I will search at an other forum and post my research.
The question is: Does any practice exist which can break out of the sandbox. I am sure traditional exploits like heap or stack buffer overflow with no additional intelligence can not.
Perhaps the experts of vulnserver can help.
I think pbjork have answered the question a few times already.
ThinApp is not a security product, a side effect of using thinapp and sand-boxing is that there is increased complexity for using an zero-day exploit.
Since ThinApp is not protecting memory there is many ways to break out and write to the physical file-system.
There are other vendors that claim to do this, for example Bromium, but that have other pros and cons.
// Linjo
Hello Linjo,
I don't think that my question was answered completely.
I understand that VMWare doesn't claim that ThinApp is a security app for stopping exploits. I think no software will claim that.
But in general there are common ways of exploits.
My question is still:
Does any practice exist which can break out of the sandbox.
You write there are many. Please tell me ONE which was used by malware to exploit und explain a little bit WHY it doesn't stay in the sandbox.
PS: I got an answer from the german evalaze team. They tell me that every invoked prozess will be dragged in the bubble. But they also don't claim to protect in general...
So my aim of this thread is to show one example for breakout of the sandbox. And this should be explained a little bit!
If there are no examples we can assume virtualisation of Apps is a secure way for sandboxing exploits. If the app is closed and the sandbox is reset everything is clean. Furthermore if the exploit was invoked inside an app like Adobe Reader or MS Office and this apps are firewalled because there is no need to communicate with the www so nothing can happen. The exploit cannot communicate to the attacker and after restarting the app again everything is fine. ![]()
So I will investigate more details of exploits like heap defuzzing and heap spraying to clarify the above mentioned assumtions.
Another approach: Imagine we have an untrusted app like Internet Explorer. Wouldn't it be easier to patch the virtualised app instead of patching the app itsself??? If any attack to breakout of the sandbox exists, VMWare could possibly fix this. So we patch IE one time such an attack exists. Perhaps only 1 time a year. Or never! The readers of this thread don't know this. So what es eaysier pathching one time a virtualised app or patching IE all of the known vulnerabilities (which isn't possible because we need to install never versions of the IE)?
