Why is windows bad at sandboxing malware?

[Bubble99]

The idea is the browser does not to have read and write access out side it's folder area and thus it means it cannot read and write to other files and folders.

Well in old days windows like windows 95 and windows 98 programs/applications and browsers like internet explore had full access and ran in administrator mode.

Windows vista and windows 7 started sandboxing and not running in administrator mode.

In theory sandboxing sounds great!! But in real world many malware are clever and can bypass the sandboxing.

So the question is if user does not install a programs/applications or click yes for setting change what is going on. Why is the malware bypassing the sandboxing? Allowing read or write access.

1 a flaw in the way the sandboxing works?

2 a flaw in OS that has so many security holes that they are always bringing out patches for many vulnerable.

3 The way the OS is built that leads to lack of security and NOT much can be done but built new OS from ground up!! But all software and hardware will not work!!Why? Because of support of old hardware and old software. So it sorta of like how do we do this when people want support for old hardware and old software.

4 Java or flash? Do away with Java or flash and we will not have many of the problems.

5. The way the internet is? The internet needs big make over?

Only other way is to install virtual machine or emulator . So if the browser sandbox application or OS gets malware there is less likelihood.

Like running windows 7 but surfing internet in mini Linux OS emulator using Linux browser.

Does Java or flash really have to go? How bad is Java or flash?

Why is adobe so bad?

What can be done? Is it time for windows to make new OS from ground up? Or in perfect world yes? But probably will not happen for other 5 to 10 years if ever?

But yes even some people say OS X is starting to get old and Apple should work on new OS to replace OS X. Note the GUI can still look the same but under the hood every thing is different. But the problem is none of the old hardware and old software will work.

 

[AidenShaw]

The idea is the browser does not to have read and write access out side it's folder area and thus it means it cannot read and write to other files and folders.

Well in old days windows like windows 95 and windows 98 programs/applications and browsers like internet explore had full access and ran in administrator mode.

Windows vista and windows 7 started sandboxing and not running in administrator mode.

In theory sandboxing sounds great!! But in real world many malware are clever and can bypass the sandboxing.

So the question is if user does not install a programs/applications or click yes for setting change what is going on. Why is the malware bypassing the sandboxing? Allowing read or write access.

1 a flaw in the way the sandboxing works?

2 a flaw in OS that has so many security holes that they are always bringing out patches for many vulnerable.

3 The way the OS is built that leads to lack of security and NOT much can be done but built new OS from ground up!! But all software and hardware will not work!!Why? Because of support of old hardware and old software. So it sorta of like how do we do this when people want support for old hardware and old software.

4 Java or flash? Do away with Java or flash and we will not have many of the problems.

5. The way the internet is? The internet needs big make over?

Only other way is to install virtual machine or emulator . So if the browser sandbox application or OS gets malware there is less likelihood.

Like running windows 7 but surfing internet in mini Linux OS emulator using Linux browser.

Does Java or flash really have to go? How bad is Java or flash?

Why is adobe so bad?

What can be done? Is it time for windows to make new OS from ground up? Or in perfect world yes? But probably will not happen for other 5 to 10 years if ever?

But yes even some people say OS X is starting to get old and Apple should work on new OS to replace OS X. Note the GUI can still look the same but under the hood every thing is different. But the problem is none of the old hardware and old software will work.

The Edge browser in Windows 10 supports sandboxing. http://www.zonealarm.com/blog/2015/08/3-security-features-in-microsofts-edge-browser/

 

[lowendlinux]

Linux has a program called firejail that will allow you to sandbox any application. Since it's not new or novel I'd imagine Windows has something similar.

 

[Bubble99]

Linux has a program called firejail that will allow you to sandbox any application. Since it's not new or novel I'd imagine Windows has something similar.

I don't think you can run firejail on windows.

Building an OS like Lego building blocks sound good but probably will look like iOS!! It be so locked down and sandbox it would be hard for one app to talk to other app and do much work. So Microsoft probably took less module approach from NT base systems and outwards with base more on user profile rights than file write and read privileges rights.

Even Linux and OS-X is not that module.

With all the latest malware and ransomware Microsoft is going to have to start doing some thing.

Gone all days of the typical home users getting malware!! Now government and business are getting malware. This going to put lot more pressure on Microsoft to start to do some thing now.

 

[jeremysteele]

With all the latest malware and ransomware Microsoft is going to have to start doing some thing.

Gone all days of the typical home users getting malware!! Now government and business are getting malware. This going to put lot more pressure on Microsoft to start to do some thing now.

If people would keep their machines updated, they wouldn't have an issue. The common denominator of many of the recent ransomware attacks is they are attacking out of date installs that have open vulnerabilities.

 

[BigMcGuire]

I'm a long time windows user who has many years in tech support as well many years of programming development for Windows. I'm generalizing a lot but Windows wasn't built with security in mind from the ground up like Unix was. Then you have companies poorly paying an under-educated IT staff to maintain Windows machines where they either set everyone up as Administrator or the users are left in a User only environment where their machines never get updates timely.

Most people who use a computer aren't going to take the time to get to know everything about it to prevent problems. I've run Windows for my entire life and I've never gotten a virus - I don't use IE and I don't do stupid things like opening files when I have no idea where they came from.

The user will always be the weak point. Doesn't help that Windows badly implemented UAC so that even today the first Google result for UAC tells you how to disable it. Because everything you have to do on Windows requires Admin access people get very accustomed to just clicking "yes" to any and all admin access prompts.


Microsoft has always been a magnet for malware - I've been removing it for over a decade. I don't think anything is going to change. Companies will continue to poorly pay poorly educated IT then wonder why their computers get "hacked" when their employees spend most of their time downloading free wallpaper apps. Users will continue to do what is easiest and click YES on every admin popup. And Microsoft will continue to need Admin access to do even the most minuscule things.


I used to think VMWare was the answer but to maintain that and re-set it up when it goes south is not easy (also requires personal data to be elsewhere).

Great question. I don't think I answered it.

 

[Tech198]

I'll give it a shot..

Its possible that Windows linked/shared DLL's play a huge page in this, and browser security issues. Not always, but it would be the primary target, even with sandboxing, there must be calls to the OS, which would lie outside than sandbox..

Only the app is sandboxed or associated files are sandbox, but there must be always a link to the OS itself which lies underneath..

If there is a link, there will be a way in,. The Keneral is a lower layer to the OS so any protection sits above the kernal. Therefore, if you can attack the kernal (root access) then you can get access to everything.

Kind of like "root" access on Mac.

 

[throAU]

because windows attempts to maintain varying degrees of binary compatibility with software that was originally written without security in mind and is up to 20-30 years old.

other platforms do not.

sand boxing is only as good as the software enforcing the sandbox, and windows is a mess. it's better than it used to be by a long way, but the compatibility maintenance above means that there's heaps of code still in windows that was originally written 20-30 years ago. font handling for example... smbv1 file sharing for another...unless you manually disable it. plenty of other such examples...

 

[Bubble99]

I'll give it a shot..

Its possible that Windows linked/shared DLL's play a huge page in this, and browser security issues. Not always, but it would be the primary target, even with sandboxing, there must be calls to the OS, which would lie outside than sandbox..

Only the app is sandboxed or associated files are sandbox, but there must be always a link to the OS itself which lies underneath..

If there is a link, there will be a way in,. The Keneral is a lower layer to the OS so any protection sits above the kernal. Therefore, if you can attack the kernal (root access) then you can get access to everything.

Kind of like "root" access on Mac.

I think what you mean by link is in windows if you can right click on file save as and save any where on the computer than malware could do that.

If you can go on the internet and install any program than any malware can do that.

Microsoft would have to do like iOS not allow file manger to save any where on your computer out side your home folder even if you really wanted to do that. Because malware could do that.

Not allowing downloading and installing software from the internet but the app store.

You have strip OS make more iOS not allowing easy copying and pasting from one app to other app. Not allowing one app to communicate to other app.

More locked down and strip OS.