Full Disclosure mailing list archives
RE: Want to test this desktop barrier?, (Unauthorized offer) 0day protection
From: "Bill Stout" <bill.stout () greenborder com>
Date: Fri, 9 Jun 2006 17:47:03 -0700
Hi Dan, There's a couple of ways it differs. 1. Programs running in DROPMYRIGHTS and RunAs can still access files and directories to which 'everyone' has access. It's not common for someone to check rights of every single directory in a computer to check who has access to what. A virtualized environment controls what directories the environment has access to, to prevent dropping files in unwanted areas, and to prevent reading confidential data from files. For example; MS-Word launched in the virtualized space to open a download shouldn't be able to open files in 'My Documents'. 2. DROPMYRIGHTS and RunAs exclude membership of the lowered user from known privileged user groups, but not custom privileged user groups. For example; you may have created a new group for backup (backup_exec), and since that new group is not a known privileged group, membership of the lowered user of that group is ignored. See tables in: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/ html/secure11152004.asp 3. Changing the access permissions of a program to certain resources often causes the program to crash. It's a problem if the only permissions available are read/write/modify/delete/enumerate, and it's undesirable to write or modify a value, and a program has to write or modify a value to run. For usability reasons, effectively having a 'virtualize' permission is useful. This way only a copy of the value or a temporary value is changed, which permits the program to run without crashingin a controlled environment. This virtualization can be done for filesystem and registry, but also system calls and COM can be virtualized (spoofed) to the virtual environment. HTH Bill Stout -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Dan Renner Sent: Thursday, June 08, 2006 10:33 AM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Want to test this desktop barrier?,(Unauthorized offer) 0day protection This is definitely has more luxury features, but couldn't you do pretty much the same with MSDN's DROPMYRIGHTS program? It runs {whatever} program as a guest user, effectively dropping the capabilities of that program to do nefarious things. ---------------------------------- Sincerely, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 full-disclosure-request () lists grok org uk wrote:
Message: 9 Date: Thu, 8 Jun 2006 10:14:21 -0700 From: "Bill Stout" <bill.stout () greenborder com> Subject: [Full-disclosure] Want to test this desktop barrier? (Unauthorized offer) 0day protection To: <full-disclosure () lists grok org uk> Message-ID: <1FA45C2E5F2E4B46967415DA3A804FE83C3A1C () mail greenborder com> Content-Type: text/plain; charset="us-ascii" Hello All, We have an early release of consumer desktop safety software that I'd like some feedback on. http://www.greenborder.com/earlyaccess/ Our software runs on XP SP2, and creates an application-level virtual environment primarily (for now) for Internet Explorer. This prevents modification of the base system by any content in the virtual environment. We refer to the virtual environment as 'x-space', or 'within GreenBorder'. We apply access control from the virtual environment to; the filesystem, registry, user shell, COM objects, and system calls. Although only Internet Explorer and applications which open downloaded attachments are supported, other applications can be launched in the GreenBorder environment. Any processes running or temporary files or temporary registry entries are wiped from the virtual environment by an application reset. Files can be saved to a specific directory only,
and
applications in this environment are prevented from reading files outside this one directory (applies confidentiality). We don't determine what application running in the virtual environment is malicious or not, so therefore this is not a replacement for signature based protection systems. Most anything can run in the environment, it just can't modify local resources. This is great protection for 0-day exploits, and lets administrators wait to apply patches off-hours. Hammer on our software by running malware of your choice in the
software
environment. Please email me or the marketing email of your results. If you're running intensive tests, I would still recommend using a scratch system. We also have an enterprise version which uses a central whitelist to determine in which environment to open a site requested or Outlook message received. Bill Stout www.greenborder.com Appended below is our marketing spiel: "We are very pleased to give you special, early access to GreenBorder Pro, the new consumer edition of our patented enterprise technology (that's already protecting thousands of users in some of the most demanding environments). With GreenBorder Pro, NOTHING CAN BREAK INTO YOUR PC from the Web. You can: * Search & browse ANY website-without putting your PC, files or private identity data at risk (or leaving any trace on your PC of where
you
have been :) * Shop & bank in privacy-without anything spying on your personal info, bank account and credit card numbers, passwords or online transactions * Use any downloads-without worrying about anything nasty hidden inside Simply click on the link below to get to the GreenBorder Pro VIP page. There, you can see a guided tour, learn about the software, and
download
your own copy. Here is a special VIP license key to copy & paste when you install: 34422VS222222222222279429422K44W Click here to get GreenBorder Pro <http://www.greenborder.com/earlyaccess> We would greatly appreciate any comments or suggestions you might have along the way. Just email us at vip () greenborder com or click on the GreenBorder icon and select Contact Customer Support in the software itself!" -------------- next part -------------- An HTML attachment was scrubbed... URL:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060608/ e9340292/attachment.html
------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 16, Issue 16 ***********************************************
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Want to test this desktop barrier?, (Unauthorized offer) 0day protection Dan Renner (Jun 09)
- Re: Want to test this desktop barrier?, (Unauthorized offer) 0day protection Christian Swartzbaugh (Jun 09)
- RE: Want to test this desktop barrier?, (Unauthorized offer) 0day protection Bill Stout (Jun 09)
- Re: Want to test this desktop barrier?, (Unauthorized offer) 0day protection Morning Wood (Jun 10)