Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one: 2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time.
Since the release of Windows XP SP2, there have been significantly less network-based Internet worms (Conficker being a notable and recent exception). This is largely due to XP SP2 making the Windows Firewall on by default and Wi-Fi. Yes, Wi-Fi. The rapid adoption of wireless networking at around the same time that XP SP2 was released drove many home users to purchase wireless base stations and almost all of these included a firewall. This drastically reduced the amount of Windows attack surface available to an attacker scanning the Internet for targets.
Now let’s fast-forward to the present day. The largest Internet security threats now arrive through malicious web pages or e-mail attachments. This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall. Security is not and never was about SYN packets, it is about data: the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get ahold of if they can exploit vulnerabilities in that software. While network firewalls reduce the attack surface over the network, they don’t do anything for Internet-enabled desktop software.
The desktop analogue to the network firewall is the privilege separated and sandboxed application. These mechanisms finally move the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox). While it doesn’t quite reduce the attack surface, it significantly raises the bar for an attacker through defense-in-depth. If an attacker is able to exploit a vulnerability and execute code, they must then exploit another vulnerability in the sandboxing mechanism in order to break free and even read the user’s data.
Windows Vista introduced Protected Mode Internet Explorer which was a step in the right direction. An exploit against Internet Explorer on Vista and 7 will run with Low Integrity, so it can’t change or harm your system. It can only upload all of your sensitive information to the attacker (Phew!). Google’s Chrome web browser, on the other hand, performs most handling of untrusted data in sandboxed renderer processes. On Windows Vista and 7 these renderer processes even run with Low Integrity for greater protection. Microsoft Office 2010 is slated to contain a Protected View feature, similar to Protected Mode Internet Explorer where potentially dangerous Office files from the Internet can be viewed in a read-only environment.
So in 2010, Windows 7 will pick up the slack from the slow adoption of Windows Vista and more former XP users will gain the benefit of the security improvements in Vista and 7 including Protected Mode IE. Google Chrome has overtaken Safari as the #3 browser and will have a stable release for Mac and Linux. Microsoft Office 2010 will include Protected View for viewing files from the Internet. Apple’s Leopard and Snow Leopard have implemented sandboxing for network services, some background daemons, and QuickLook previews of files in the Finder and attachments in Mail.
Et tu, Adobe?
* Dino Dai Zovi is a security researcher and the co-author of the books “The Mac Hacker’s Handbook” (Wiley, 2009) and “The Art of Software Security Testing” (Addison-Wesley, 2006). He discovered and exploited a new multi-platform QuickTime vulnerability in one night to compromise a fully patched Macbook Pro and win the first PWN2OWN contest at CanSecWest 2007. In 2008, eWEEK named him one of the 15 Most Influential People in Security.