Google Chrome Updating

[yabbadoo]

Google Chrome cannot update within Sandboxie, it fails every time and I have to update with an unsandboxed browser.

Is there an answer to this ?

[Guest10]

That behaviour is intentional.

[yabbadoo]

That behaviour is intentional.

Please explain. Intentional by what, why, and who.

[Guest10]

There is no setting in Sandboxie that will allow Chrome to write outside of the sandbox to its program files folder, for security reasons.

Typically, the Chrome program files are located in the user's:
"%Local AppData%\Google\Chrome\Application"
folder, but in some cases the Chrome program files have been found to be located underneath the user's %ProgramFiles% folder.

Even if you select "Allow Direct Access to entire Google Chrome profile folder", you are only allowing writes out of the sandbox to:
"%Local AppData%\Google\Chrome\User Data\Default"
But, as you can see, that's not where Chrome needs to update its program files.
Also, there's no allowance for Chrome to update any Registry keys when it runs sandboxed, so anything that Chrome might try to write to the Registry during an update would stay in the sandboxed Reghive.

Allowing Chrome to update itself while sandboxed would only result in the updated program files being written to a copy of its program files folder that's inside of the sandbox, and those program files would not be updated outside of the sandbox.

It's possible that sandboxed Chrome would run the updated program version, if it was allowed to update while sandboxed - until the sandbox contents are deleted. At that point Chrome would be the old version, whether it's run normally or sandboxed.

Sandboxie is supposed to check on the location of the chrome.exe program that's running, if an update request comes while Chrome is running sandboxed. If the chrome.exe file is located inside of the sandbox, then it should allow the Chrome update to proceed since the Chrome program files are inside of the sandbox - and it's not necessary to update those files outside of the sandbox.
I've never tested that since I have Chrome installed normally. The same rule applies to Firefox updates.

[yabbadoo]

@ Guest 10

That is an immaculate and thoroughly technical description of programmed events. I thank you gratefully for taking the time to compile and post it. Such a detailed description must be of value to other readers and it has certainly more than satisfied my own lack of knowledge.

Thank you - yabbadoo

[Dun]

http://forums.sandboxie.com/phpBB3/view ... 79#p102379

[yabbadoo]

http://forums.sandboxie.com/phpBB3/view ... 79#p102379

Google Chrome has no sandbox. The term is used liberally to cover a programmable restriction which forces risk elements to inhabit a programmed "loop" where they are said to be confined. It is not remotely comparable with Sandboxie where the entire browser in engulfed in a virtual environment.

If the Chrome "sandbox" innovation does improve the browser security, fine, but I pay no credible attention to it. Every little helps.

Whatever the merits of Chrome`s "sandbox", there is no conflict with Sandboxie since the operational concept is "a box within a box".

A kind of poor man`s alternative which is based significantly on Windows security system !

To rely on MS Windows security is a joke. It is about as safe as driving on the wrong side of the road or going the wrong way down a one-way street.

In my case, using the brilliant and perfectly operating Windows XP, I have no Windows security after 1 April 2014. So how can this fictitious Chrome "sandbox" help me and millions of other XP users ? Sandboxie takes over from MS Windows with exceptional and indomitable efficiency. I have no use for Windows security and their incessant bombardment of patches.

Incidently, Chrome is my primary and well loved default browser and has been for about 6 years.

[DR_LaRRY_PEpPeR]

You mean April 8 (or May 1 if counting the out-of-band IE update), officially.

XP updates are still available for 5 more years (I don't see there being any issues, although they could make them harder to install at some point; trivial change to enable for now). This really is the miracle of our time.

Windows updates, like updating any software (or even more so), are very important by fixing holes in the first line(s) of defense. If certain Windows flaws are exploited, Chrome's "sandbox" (restrictions, I agree with you) can no longer operate as it should, and critical bypasses can happen.

At some point, it's the same with Sandboxie. Sandboxie's operation relies on Windows' security! If that critical foundation is compromised in any way, so is the potential for Sandboxie to be.

[Dun]

I wasn't talking about Chrome's sandbox. I meant Sandboxied chrome = Chrome running inside Sandboxie

[yabbadoo]

Dr. Larry Peprer in his interesting post, stated this :-

"At some point, it's the same with Sandboxie. Sandboxie's operation relies on Windows' security! If that critical foundation is compromised in any way, so is the potential for Sandboxie to be."

I find this an astonishing revelation to hear that Sandboxie is dependant on Windows security. A formidable anchor chain dependent on a weak link.

Please, would one of our Sandboxie experts clarify this enlightening and surprising statement in detail ? It is one of the most radical statements I have ever come across concerning Sandboxie. A real confidence shaker.

[Buster]

Dr. Larry Peprer in his interesting post, stated this :-

"At some point, it's the same with Sandboxie. Sandboxie's operation relies on Windows' security! If that critical foundation is compromised in any way, so is the potential for Sandboxie to be."

I find this an astonishing revelation to hear that Sandboxie is dependant on Windows security. A formidable anchor chain dependent on a weak link.

Please, would one of our Sandboxie experts clarify this enlightening and surprising statement in detail ? It is one of the most radical statements I have ever come across concerning Sandboxie. A real confidence shaker.

Sandboxie does not protect from Windows security holes. Example: Blaster worm would have infected your computer even if you were using Sandboxie.

[yabbadoo]

Sandboxie does not protect from Windows security holes. Example: Blaster worm would have infected your computer even if you were using Sandboxie.

Amazing ! The plot is thickening statement by statement.

My solid belief until now was that Sandboxie provided in effect a virtual hard drive, a virtual environment in which all the bugs can have a party, without any risk of infection whatsoever to the users PC. THAT is the unique and incredible property which I firmly believed that Sandboxie offered to all its loyal and faithful users.

But now, it seems to be all going pear shaped. What are we to believe ? Is our wonderful and revered Sandboxie just another ordinary AV program complete with ordinary holes and reliant on MS Windows security for buoyancy ?

I feel that the damaging statements being made here about Sandboxie`s credibility are the most important statements made on this entire Forum and need some urgent factual and descriptive clarification.

[DR_LaRRY_PEpPeR]

Well that was a remote thing, Buster, affecting a component (service I guess?) that wouldn't be running in Sandboxie anyway, so not a very good example. A minor point, but it'd be like using one of the Windows Firewall exploits as an example.


yabbadoo, Sandboxie, especially with version 4, uses the Windows' security mechanisms to not allow sandboxed programs to do anything (basically). That was one of its primary changes -- using official Windows stuff that would work more "officially" with future Windows versions (and updates), instead of the kernel "hacks" and patching type stuff in 3.x, etc. (Although it also cannot protect, in theory, if certain Windows holes were exploited, depending on circumstances.)

Since the programs themselves have no [access] abilities, Sandboxie of course does stuff for them. If all of a sudden an exploit (or chain of them), allow them to gain rights, they could do something without Sandboxie "OK-ing" it. Again, depending on circumstances (not sure how much Sandboxie interferes with exploit expectations if not targeting Sandboxie).



Oh no, yabba, AV (ordinary or not) is garbage and would never be given consideration (can easily be bypassed/stopped compared to Sandboxie). Only Sandboxie all the way!

[Buster]

Sandboxie protects system isolating applications. Windows does not run under Sandboxie´s supervision, so if there is a security hole in the OS, Sandboxie will not prevent it.

That´s pure logic and there is nothing new or surprising on it.

[yabbadoo]

@ Dr. Larry Peprer

I simply love your dialogue, it all makes a very logical and technical picture - thank you for the information and interest you provide.

Buster wrote in his latter post :-
"Sandboxie protects system isolating applications. Windows does not run under Sandboxie´s supervision, so if there is a security hole in the OS, Sandboxie will not prevent it.

That´s pure logic and there is nothing new or surprising on it."

Firstly I personally see no logic in this comment and it is new and surprising news to me.

Secondly, it is devastating to know that if the OS is shot full of holes, Sandboxie`s virtual environment becomes useless. Rather naively, I thought that the playground for all those naughty bugs was confined to the world of the browser, a completely separate program and nothing to do with the OS, which is in most cases Windows. Sandboxie simply wrapped up the browser in a virtual protective umbrella.

Surely it is not being suggested that Sandboxie or any other reputable AV program depends on the fallibility and doubtful qualities of the OS. If the jail guard depends on the prisoner to hand him the key, what kind of logic is that ?

Program compatibility is obviously essential, but security is a completely separate issue. I cannot accept that an independent security system is remotely associated with the security provision of an OS. There is simply no reason at all why the two separate functions should have any connection whatsoever other than operational compatibility.

Windows so called security is no more than a very patched up football.