By +Dietrich Schmitz
(tap tap....is this mic on?)
|Windows 8 (x86) Security|
A veritable leaking collander.
So far as I can tell, several hackers have succeeded in pawning Windows Legacy (x86). And from my perspective security should not be part of the responsibility of third-party software developers, that is, to bolster their applications with security sandboxes.
No, this is a complete diversion from the real, ongoing, old story. Microsoft's Windows 8 Legacy (x86) suffers from and inherits the circa 2000 WinNT kernel replete with all of its attendant security woes-- Windows is a collander.
The real issue is, if an exploit does succeed in breaking from a buffer overflow and attempts to escalate and access administrative privileges, why isn't the underlying operating system, Windows, intercepting the SYSTEM call process id? Hmm. Good question.
And, Google Engineers have all along (several years) inserted into their Chromium.org documentation their 'caveats' regarding just how much bolstering they can do on a Windows platform. It is clearly written and this is the text:
The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.
In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox."
|Chrome Sandbox Status Screen|
 Edit: Pwnium 3 will take place on-site at the CanSecWest conference on March 7. Contestants will attempt to hack a Samsung 550 Chromebook. Pwnium 1 & 2 were held last year in two separate locations.
Update: As predicted, all Chrome OS hack attempts failed.