p2p_2's Posts

I want to share my experience: I captured CS6 on WinXP SP3. I have started all apps before postscan and I have updated all CS6 Apps. Then I started postscan. All is running fine even on W... See more...
I want to share my experience: I captured CS6 on WinXP SP3. I have started all apps before postscan and I have updated all CS6 Apps. Then I started postscan. All is running fine even on Windows 8.1 one more  hint: starting Adobe Photoshop as admin does accellerate the starting of the app extremely. But this must be done only one time.
Hello Linjo, I don't think that my question was answered completely. I understand that VMWare doesn't claim that ThinApp is a security app for stopping exploits. I think no software will cl... See more...
Hello Linjo, I don't think that my question was answered completely. I understand that VMWare doesn't claim that ThinApp is a security app for stopping exploits. I think no software will claim that. But in general there are common ways of exploits. My question is still: Does any practice exist which can break out of the sandbox. You write there are many. Please tell me ONE which was used by malware to exploit und explain a little bit WHY it doesn't stay in the sandbox. PS: I got an answer from the german evalaze team. They tell me that every invoked prozess will be dragged in the bubble. But they also don't claim to protect in general... So my aim of this thread is to show one example for breakout of the sandbox. And this should be explained a little bit! If there are no examples we can assume virtualisation of Apps is a secure way for sandboxing exploits. If the app is closed and the sandbox is reset everything is clean. Furthermore if the exploit was invoked inside an app like Adobe Reader or MS Office and this apps are firewalled because there is no need to communicate with the www so nothing can happen. The exploit cannot communicate to the attacker and after restarting the app again everything is fine. So I will investigate more details of exploits like heap defuzzing and heap spraying to clarify the above mentioned assumtions. Another approach: Imagine we have an untrusted app like Internet Explorer. Wouldn't it be easier to patch the virtualised app instead of patching the app itsself??? If any attack to breakout of the sandbox exists, VMWare could possibly fix this. So we patch IE one time such an attack exists. Perhaps only 1 time a year. Or never! The readers of this thread don't know this. So what es eaysier pathching one time a virtualised app or patching IE all of the known vulnerabilities (which isn't possible because we need to install never versions of the IE)?
Hello pbjork, thank you for the answer. But it doesn't satisfy me. I will investigate further. I think here are no experts of exploits. I will search at an other forum and post my research. ... See more...
Hello pbjork, thank you for the answer. But it doesn't satisfy me. I will investigate further. I think here are no experts of exploits. I will search at an other forum and post my research. The question is: Does any practice exist which can break out of the sandbox. I am sure traditional exploits like heap or stack buffer overflow with no additional intelligence can not. Perhaps the experts of vulnserver can help.
Hello pbjork, thank you for your answer. I got a similar answer from evalaze - a german virtualization software. A developer says the code which runs after the exploit is a child process which... See more...
Hello pbjork, thank you for your answer. I got a similar answer from evalaze - a german virtualization software. A developer says the code which runs after the exploit is a child process which also runs in the sandbox. If this is alway the case I would say the following: With a virtualized App a vulnerability has absolutely zero chance to remain in the OS. But there are 2 assumptions: First the app will be closed periodically (no server process) and second the sandbox will be cleaned everytime the app is closed. Please can anyone justify this and explain how the child process is established when the software is exploitet.
Hello, I am wondering if application virtualisation increases the security towards vulnerability of 0 day exploits. I have searched the www but I don't find enough information. http://stea... See more...
Hello, I am wondering if application virtualisation increases the security towards vulnerability of 0 day exploits. I have searched the www but I don't find enough information. http://stealthpuppy.com/dont-virtualize-adobe-reader-x/ is an example which shows that virtualisation could be counterproductive because the implemented sandbox of the application doesn't work anymore-> in this case Adobe Reader X. Please can anyone tell details of the security of virtualised applications by Thinapp. For example Adobe flash, Acrobat Reader and Microsoft Office can be virtualised. But what does it mean to security issues of this software. Can someone tell me if exploits can break out into the RAM of the system which runs the virtualised app? And than execute code which was injected by the exploit? Thank You.