Hello Linjo, I don't think that my question was answered completely. I understand that VMWare doesn't claim that ThinApp is a security app for stopping exploits. I think no software will cl...
See more...
Hello Linjo, I don't think that my question was answered completely. I understand that VMWare doesn't claim that ThinApp is a security app for stopping exploits. I think no software will claim that. But in general there are common ways of exploits. My question is still: Does any practice exist which can break out of the sandbox. You write there are many. Please tell me ONE which was used by malware to exploit und explain a little bit WHY it doesn't stay in the sandbox. PS: I got an answer from the german evalaze team. They tell me that every invoked prozess will be dragged in the bubble. But they also don't claim to protect in general... So my aim of this thread is to show one example for breakout of the sandbox. And this should be explained a little bit! If there are no examples we can assume virtualisation of Apps is a secure way for sandboxing exploits. If the app is closed and the sandbox is reset everything is clean. Furthermore if the exploit was invoked inside an app like Adobe Reader or MS Office and this apps are firewalled because there is no need to communicate with the www so nothing can happen. The exploit cannot communicate to the attacker and after restarting the app again everything is fine. So I will investigate more details of exploits like heap defuzzing and heap spraying to clarify the above mentioned assumtions. Another approach: Imagine we have an untrusted app like Internet Explorer. Wouldn't it be easier to patch the virtualised app instead of patching the app itsself??? If any attack to breakout of the sandbox exists, VMWare could possibly fix this. So we patch IE one time such an attack exists. Perhaps only 1 time a year. Or never! The readers of this thread don't know this. So what es eaysier pathching one time a virtualised app or patching IE all of the known vulnerabilities (which isn't possible because we need to install never versions of the IE)?