Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one:  2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time.

Since the release of Windows XP SP2, there have been significantly less network-based Internet worms (Conficker being a notable and recent exception).  This is largely due to XP SP2 making the Windows Firewall on by default and Wi-Fi.  Yes, Wi-Fi.  The rapid adoption of wireless networking at around the same time that XP SP2 was released drove many home users to purchase wireless base stations and almost all of these included a firewall.  This drastically reduced the amount of Windows attack surface available to an attacker scanning the Internet for targets.

[ALSO READ: Despite Danger, Adobe Says JavaScript Support Important ]

Now let’s fast-forward to the present day.  The largest Internet security threats now arrive through malicious web pages or e-mail attachments.  This is because attackers are opportunistic and these are the weakest links especially because they easily pass through every firewall.  Security is not and never was about SYN packets, it is about data: the software attack surface that attacker-controlled data interacts with and what sensitive data the attacker can get ahold of if they can exploit vulnerabilities in that software.  While network firewalls reduce the attack surface over the network, they don’t do anything for Internet-enabled desktop software.

The desktop analogue to the network firewall is the privilege separated and sandboxed application.  These mechanisms finally move the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox).  While it doesn’t quite reduce the attack surface, it significantly raises the bar for an attacker through defense-in-depth.  If an attacker is able to exploit a vulnerability and execute code, they must then exploit another vulnerability in the sandboxing mechanism in order to break free and even read the user’s data.

Windows Vista introduced Protected Mode Internet Explorer which was a step in the right direction.  An exploit against Internet Explorer on Vista and 7 will run with Low Integrity, so it can’t change or harm your system.  It can only upload all of your sensitive information to the attacker (Phew!).  Google’s Chrome web browser, on the other hand, performs most handling of untrusted data in sandboxed renderer processes.  On Windows Vista and 7 these renderer processes even run with Low Integrity for greater protection.  Microsoft Office 2010 is slated to contain a Protected View feature, similar to Protected Mode Internet Explorer where potentially dangerous Office files from the Internet can be viewed in a read-only environment.

So in 2010, Windows 7 will pick up the slack from the slow adoption of Windows Vista and more former XP users will gain the benefit of the security improvements in Vista and 7 including Protected Mode IE. Google Chrome has overtaken Safari as the #3 browser and will have a stable release for Mac and Linux.  Microsoft Office 2010 will include Protected View for viewing files from the Internet.  Apple’s Leopard and Snow Leopard have implemented sandboxing for network services, some background daemons, and QuickLook previews of files in the Finder and attachments in Mail.

Et tu, Adobe?

* Dino Dai Zovi is a security researcher and the co-author of the books “The Mac Hacker’s Handbook” (Wiley, 2009) and “The Art of Software Security Testing” (Addison-Wesley, 2006).  He discovered and exploited a new multi-platform QuickTime vulnerability in one night to compromise a fully patched Macbook Pro and win the first PWN2OWN contest at CanSecWest 2007.  In 2008, eWEEK named him one of the 15 Most Influential People in Security.

Categories: Malware, Vulnerabilities

Comments (8)

  1. Slow
    1

    hahahahahaha, Brad Arkin already dismissed that “Sand Box” mumbo jumbo in his interview, they’re never gonna happen…let the Adobe exploit massacre continue unabated *yay*. Kudos to Apple, Google, and Microsoft security teams for bringing the cluestick to their devs.

    p.s. Can we nominate Brad’s interview on Threat Post already for 2010 pwnie awards? For the way he completely ignored every tough question Ryan and Dennis threw at him and all he could say was “Hey gais we’ve got Javascript blacklist!!”…WORST VENDOR RESPONSE TO A SOFTWARE SUITE EXPLOIT MASSACRE EVER.

  2. al wilson
    2

    I have had 2 techs from brighthouse because I cannot send and sometimes receive e-mails. they told me that it was do to my Kaspersky saying that that program was not and will not work with vista 32 or 64 until around the middle of or the end of 2010. yesterday i took a chance and disabled kaspersky comletely and tried to send a message to someone and when i tried to send i got a mesage saying “this message could not be sent” so I guess it was not Kaspersky. What can I do? I ran a deep scan and it came up with 2 criticals and they were both from Java and when I tried to quarintine them it wouldn’t let me.  HELP< HELP< HELP. Thanks. awilson88@tampabay.rr.com

  3. Ben
    3

    I love a product called SandBoxie, though it does not support 64-bit Windows currently. But it lets you try untrusted programs to see what they do and you can completely remove any impact they had on your system. I so wish Microsoft would build something like that into Windows.  Very often you have a nice stable system and then there is something you have to install or use but you dont really want to take the risk. A built-in sandboxie is what Windows really needs.

  4. Chuck Wright
    5

    I don’t know much about the “tech”stuff all I want to know is my computer safe? How can I tell? When I got my last virus, it came from an unlikely sourse.  

  5. Anonymous
    7

    I have two questions regarding security and related with several issues tha I have read on internet, and I woul like to know if they are true

    1.- hoy many time it will take to a security expert to remotely get user level to a selected laptop with windows xp OS and firewall intalled.( the laptop is not visiting any webpage)

    2.  I have read that there are severals exploits for windows xp floating among securities experts, is it true? if so , how many time it will take to get into the laptop it the exploit works?

    how is possible that microsoft doesn`t know about these exploits?

Comments are closed.