Update CHANGELOG.md
This commit is contained in:
parent
a61619e932
commit
dca2dc5ba5
40
CHANGELOG.md
40
CHANGELOG.md
|
@ -347,7 +347,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
||||||
## [1.0.16 / 5.55.16] - 2022-04-01
|
## [1.0.16 / 5.55.16] - 2022-04-01
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
- FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, exceptions are possible
|
- FIXED SECURITY ISSUE ID-20: memory of unsandboxed processes can no longer be read, exceptions are possible
|
||||||
-- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
|
-- you can use ReadIpcPath=$:program.exe to allow read access to unsandboxed processes or processes in other boxes
|
||||||
- Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe
|
- Added "Monitor Mode" to the resource access trace, similar to the old monitor view of SbieCtrl.exe
|
||||||
|
|
||||||
|
@ -366,7 +366,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- fixed memory corruption introduced in the last build causing Chrome to crash sometimes
|
- fixed memory corruption introduced in the last build causing Chrome to crash sometimes
|
||||||
- FIXED SECURITY ISSUE: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok)
|
- FIXED SECURITY ISSUE ID-18: NtCreateSymbolicLinkObject was not filtered (thanks Diversenok)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -392,14 +392,14 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
||||||
- fixed issue enumerating registry keys in privacy mode
|
- fixed issue enumerating registry keys in privacy mode
|
||||||
- fixed settings issue introduced in 1.0.13 [#1684](https://github.com/sandboxie-plus/Sandboxie/issues/1684)
|
- fixed settings issue introduced in 1.0.13 [#1684](https://github.com/sandboxie-plus/Sandboxie/issues/1684)
|
||||||
- fixed crash issue when parsing firewall port options
|
- fixed crash issue when parsing firewall port options
|
||||||
- FIXED SECURITY ISSUE: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges [#1714](https://github.com/sandboxie-plus/Sandboxie/issues/1714)
|
- FIXED SECURITY ISSUE ID-19: in certain cases a sandboxed process could obtain a handle on an unsandboxed thread with write privileges [#1714](https://github.com/sandboxie-plus/Sandboxie/issues/1714)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## [1.0.13 / 5.55.13] - 2022-03-08
|
## [1.0.13 / 5.55.13] - 2022-03-08
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- FIXED SECURITY ISSUE: Hard link creation was not properly filtered (thanks Diversenok)
|
- FIXED SECURITY ISSUE ID-17: Hard link creation was not properly filtered (thanks Diversenok)
|
||||||
- fixed issue with checking the certificate entry.
|
- fixed issue with checking the certificate entry.
|
||||||
|
|
||||||
|
|
||||||
|
@ -502,7 +502,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- fixed BreakoutProcess not working with "EnableObjectFiltering=y"
|
- fixed BreakoutProcess not working with "EnableObjectFiltering=y"
|
||||||
- FIXED SECURITY ISSUE: when starting *COMSRV* unboxed, the returned process handle had full access
|
- FIXED SECURITY ISSUE ID-16: when starting *COMSRV* unboxed, the returned process handle had full access
|
||||||
- fixed issue with progress dialog [#1562](https://github.com/sandboxie-plus/Sandboxie/issues/1562)
|
- fixed issue with progress dialog [#1562](https://github.com/sandboxie-plus/Sandboxie/issues/1562)
|
||||||
- fixed issue with handling directory junctions in Sandboxie [#1396](https://github.com/sandboxie-plus/Sandboxie/issues/1396)
|
- fixed issue with handling directory junctions in Sandboxie [#1396](https://github.com/sandboxie-plus/Sandboxie/issues/1396)
|
||||||
- fixed a handle leak in File_NtCloseImpl
|
- fixed a handle leak in File_NtCloseImpl
|
||||||
|
@ -1389,7 +1389,7 @@ Fixed issue with Windows 7
|
||||||
### Fixed
|
### Fixed
|
||||||
- fixed issues with some installers introduced in 5.48.0 [#595](https://github.com/sandboxie-plus/Sandboxie/issues/595)
|
- fixed issues with some installers introduced in 5.48.0 [#595](https://github.com/sandboxie-plus/Sandboxie/issues/595)
|
||||||
- fixed "add user to sandbox" in the Plus UI [#597](https://github.com/sandboxie-plus/Sandboxie/issues/597)
|
- fixed "add user to sandbox" in the Plus UI [#597](https://github.com/sandboxie-plus/Sandboxie/issues/597)
|
||||||
- FIXED SECURITY ISSUE: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
|
- FIXED SECURITY ISSUE ID-15: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
|
||||||
- Classic UI no longer allows to create a sandbox with an invalid or reserved device name [#649](https://github.com/sandboxie-plus/Sandboxie/issues/649)
|
- Classic UI no longer allows to create a sandbox with an invalid or reserved device name [#649](https://github.com/sandboxie-plus/Sandboxie/issues/649)
|
||||||
|
|
||||||
|
|
||||||
|
@ -1437,15 +1437,15 @@ Fixed issue with Windows 7
|
||||||
- the LogApi dll is now using Sbie's tracing facility to log events instead of its own pipe server
|
- the LogApi dll is now using Sbie's tracing facility to log events instead of its own pipe server
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- FIXED SECURITY ISSUE: elevated sandboxed processes could access volumes/disks for reading (thanks hg421)
|
- FIXED SECURITY ISSUE ID-11: elevated sandboxed processes could access volumes/disks for reading (thanks hg421)
|
||||||
-- this protection option can be disabled by using "AllowRawDiskRead=y"
|
-- this protection option can be disabled by using "AllowRawDiskRead=y"
|
||||||
- fixed crash issue around SetCurrentProcessExplicitAppUserModelID observed with GoogleUpdate.exe
|
- fixed crash issue around SetCurrentProcessExplicitAppUserModelID observed with GoogleUpdate.exe
|
||||||
- fixed issue with Resource Monitor sort by timestamp
|
- fixed issue with Resource Monitor sort by timestamp
|
||||||
- fixed invalid Opera bookmarks path (by isaak654) [#542](https://github.com/sandboxie-plus/Sandboxie/pull/542)
|
- fixed invalid Opera bookmarks path (by isaak654) [#542](https://github.com/sandboxie-plus/Sandboxie/pull/542)
|
||||||
- FIXED SECURITY ISSUE: a race condition in the driver allowed to obtain an elevated rights handle to a process (thanks typpos) [#549](https://github.com/sandboxie-plus/Sandboxie/pull/549)
|
- FIXED SECURITY ISSUE ID-12: a race condition in the driver allowed to obtain an elevated rights handle to a process (thanks typpos) [#549](https://github.com/sandboxie-plus/Sandboxie/pull/549)
|
||||||
- FIXED SECURITY ISSUE: "\RPC Control\samss lpc" is now filtered by the driver (thanks hg421) [#553](https://github.com/sandboxie-plus/Sandboxie/issues/553)
|
- FIXED SECURITY ISSUE ID-13: "\RPC Control\samss lpc" is now filtered by the driver (thanks hg421) [#553](https://github.com/sandboxie-plus/Sandboxie/issues/553)
|
||||||
-- this allowed elevated processes to change passwords, delete users and alike; to disable filtering use "OpenSamEndpoint=y"
|
-- this allowed elevated processes to change passwords, delete users and alike; to disable filtering use "OpenSamEndpoint=y"
|
||||||
- FIXED SECURITY ISSUE: "\Device\DeviceApi\CMApi" is now filtered by the driver (thanks hg421) [#552](https://github.com/sandboxie-plus/Sandboxie/issues/552)
|
- FIXED SECURITY ISSUE ID-14: "\Device\DeviceApi\CMApi" is now filtered by the driver (thanks hg421) [#552](https://github.com/sandboxie-plus/Sandboxie/issues/552)
|
||||||
-- this allowed elevated processes to change hardware configuration; to disable filtering use "OpenDevCMApi=y"
|
-- this allowed elevated processes to change hardware configuration; to disable filtering use "OpenDevCMApi=y"
|
||||||
|
|
||||||
|
|
||||||
|
@ -1565,7 +1565,7 @@ Fixed issue with Windows 7
|
||||||
- refactored some IPC code in the driver
|
- refactored some IPC code in the driver
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- FIXED SECURITY ISSUE: the registry isolation could be bypassed, present since Windows 10 Creators Update
|
- FIXED SECURITY ISSUE ID-10: the registry isolation could be bypassed, present since Windows 10 Creators Update
|
||||||
- fixed creation time not always being properly updated in the SandMan UI
|
- fixed creation time not always being properly updated in the SandMan UI
|
||||||
|
|
||||||
|
|
||||||
|
@ -1596,7 +1596,7 @@ Fixed issue with Windows 7
|
||||||
### Fixed
|
### Fixed
|
||||||
- fixed a crash issue in SbieSvc.exe introduced with the last build
|
- fixed a crash issue in SbieSvc.exe introduced with the last build
|
||||||
- fixed issue with SandMan UI update check
|
- fixed issue with SandMan UI update check
|
||||||
- FIXED SECURITY ISSUE: a Sandboxed process could start sandboxed as system even with DropAdminRights in place
|
- FIXED SECURITY ISSUE ID-9: a Sandboxed process could start sandboxed as system even with DropAdminRights in place
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
- removed "ProtectRpcSs=y" due to incompatibility with new isolation defaults
|
- removed "ProtectRpcSs=y" due to incompatibility with new isolation defaults
|
||||||
|
@ -1606,12 +1606,12 @@ Fixed issue with Windows 7
|
||||||
## [0.5.4 / 5.46.0] - 2021-01-06
|
## [0.5.4 / 5.46.0] - 2021-01-06
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
- FIXED SECURITY ISSUE: Sandboxie now strips particularly problematic privileges from sandboxed system tokens
|
- FIXED SECURITY ISSUE ID-4: Sandboxie now strips particularly problematic privileges from sandboxed system tokens
|
||||||
-- with those a process could attempt to bypass the sandbox isolation (thanks Diversenok)
|
-- with those a process could attempt to bypass the sandbox isolation (thanks Diversenok)
|
||||||
-- old legacy behaviour can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
|
-- old legacy behaviour can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
|
||||||
- added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
|
- added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
|
||||||
-- those resources are open by default, but for a hardened box it is desired to close them
|
-- those resources are open by default, but for a hardened box it is desired to close them
|
||||||
- FIXED SECURITY ISSUE: added print spooler filter to prevent printers from being set up outside the sandbox
|
- FIXED SECURITY ISSUE ID-5: added print spooler filter to prevent printers from being set up outside the sandbox
|
||||||
-- the filter can be disabled with "OpenPrintSpooler=y"
|
-- the filter can be disabled with "OpenPrintSpooler=y"
|
||||||
- added overwrite prompt when recovering an already existing file
|
- added overwrite prompt when recovering an already existing file
|
||||||
- added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
|
- added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
|
||||||
|
@ -1627,10 +1627,10 @@ Fixed issue with Windows 7
|
||||||
- improved Resource Monitor status strings
|
- improved Resource Monitor status strings
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- FIXED SECURITY ISSUE: processes could spawn processes outside the sandbox (thanks Diversenok)
|
- FIXED SECURITY ISSUE ID-6: processes could spawn processes outside the sandbox (thanks Diversenok)
|
||||||
- FIXED SECURITY ISSUE: bug in the dynamic IPC port handling allowed to bypass IPC isolation
|
- FIXED SECURITY ISSUE ID-7: bug in the dynamic IPC port handling allowed to bypass IPC isolation
|
||||||
- fixed issue with IPC tracing
|
- fixed issue with IPC tracing
|
||||||
- FIXED SECURITY ISSUE: CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
|
- FIXED SECURITY ISSUE ID-8: CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
|
||||||
-- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
|
-- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
|
||||||
- fixed hooking issues SBIE2303 with Chrome, Edge and possibly others [#68](https://github.com/sandboxie-plus/Sandboxie/issues/68) [#166](https://github.com/sandboxie-plus/Sandboxie/issues/166)
|
- fixed hooking issues SBIE2303 with Chrome, Edge and possibly others [#68](https://github.com/sandboxie-plus/Sandboxie/issues/68) [#166](https://github.com/sandboxie-plus/Sandboxie/issues/166)
|
||||||
- fixed failed check for running processes when performing snapshot operations
|
- fixed failed check for running processes when performing snapshot operations
|
||||||
|
@ -1997,9 +1997,9 @@ Fixed issue with Windows 7
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- added missing PreferExternalManifest initialization to portable mode
|
- added missing PreferExternalManifest initialization to portable mode
|
||||||
- FIXED SECURITY ISSUE: fixed permission issues with sandboxed system processes
|
- FIXED SECURITY ISSUE ID-2: fixed permission issues with sandboxed system processes
|
||||||
-- Note: you can use "ExposeBoxedSystem=y" for the old behaviour (debug option)
|
-- Note: you can use "ExposeBoxedSystem=y" for the old behaviour (debug option)
|
||||||
- FIXED SECURITY ISSUE: fixed missing SCM access check for sandboxed services (thanks Diversenok)
|
- FIXED SECURITY ISSUE ID-3: fixed missing SCM access check for sandboxed services (thanks Diversenok)
|
||||||
-- Note: to disable the access check use "UnrestrictedSCM=y" (debug option)
|
-- Note: to disable the access check use "UnrestrictedSCM=y" (debug option)
|
||||||
- fixed missing initialization in service server that caused sandboxed programs to crash when querying service status
|
- fixed missing initialization in service server that caused sandboxed programs to crash when querying service status
|
||||||
- fixed many bugs that caused the SbieDrv.sys to BSOD when running with Driver Verifier enabled [#57](https://github.com/sandboxie-plus/Sandboxie/issues/57)
|
- fixed many bugs that caused the SbieDrv.sys to BSOD when running with Driver Verifier enabled [#57](https://github.com/sandboxie-plus/Sandboxie/issues/57)
|
||||||
|
@ -2058,7 +2058,7 @@ Fixed issue with Windows 7
|
||||||
- Sbie driver now first checks the home path for the configuration file Sandboxie.ini before checking SystemRoot
|
- Sbie driver now first checks the home path for the configuration file Sandboxie.ini before checking SystemRoot
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- FIXED SECURITY ISSUE: sandboxed processes could obtain a write handle on non sandboxed processes (thanks Diversenok)
|
- FIXED SECURITY ISSUE ID-1: sandboxed processes could obtain a write handle on non sandboxed processes (thanks Diversenok)
|
||||||
-- this allowed to inject code in non sandboxed processes
|
-- this allowed to inject code in non sandboxed processes
|
||||||
- fixed issue boxed services not starting when the path contained a space
|
- fixed issue boxed services not starting when the path contained a space
|
||||||
- NtQueryInformationProcess now returns the proper sandboxed path for sandboxed processes
|
- NtQueryInformationProcess now returns the proper sandboxed path for sandboxed processes
|
||||||
|
|
Loading…
Reference in New Issue