Securing Web Browser using Sandboxie and an Unprivileged User
After last week’s fiasco of getting pwned by what looked like an overflow bug exploited in the latest Firefox (3.6.3), it dawned on me today the simplest way to lock this one down – Way simpler than a Virtual Machine and with zero impact on performance – and a mild hit on ease of use… User privileges!
Hello! McFly!! I should have been running my browser as an unprivileged user already. Doh!
Then I remembered there is a very useful little program that does sandboxing really well called Sandboxie – How well does it stand up to getting pwned? Probably pretty well, unless the exploit is targeted at the browser and the sandbox tech – which is extremely unlikely. In that case, running in a sandbox with an unprivileged user would take care of pretty much everything – but it might be a bit of overshooting. Sandboxie loads a kernel-mode driver and provides really nice controls over what is allowed and what isn’t, it boxes up whatever changes the app wants to do but is not directly allowed, and lets you review them. Not only can you see what you’re doing, prevent malware, but actually see that something bad was about to happen. Really cool tech.
Using just an unprivileged user is pretty rock solid safe – but it is also a royal pain in the ass. Operations fail all the time – especially in Windows where every program thinks they ought to own the box, you’ve got to mess with the event viewer to figure out what the program tried to do that failed and made it explode, then figure out what permissions to give it – and remember to take them away if it was just a temporary thing – Then to top it all off, half the settings get stored in the profile or home directory of the unprivileged user the browser was running under – so when you try to run it under an administrator ID to change that something that wasn’t working as a regular user – whatever you wanted to change is not there anymore. Enough rant… Lets see what happens.
I’ve got no ties to Sandboxie other than its a fine piece of software for a decent price (around $30) – Anyone have any other similar tech to recommend in this area of Windows browser safety?
PS: Anyone who suggests either Linux or a Mac will be cursed to have hair grow out of their ears until it looks like ponytails.