Intel 11 Gen and AMD 5900X compatybility Issue

The next release will rework the sys call hooking mechanism to be compatible with stack protection meaning also chromes when run sandboxed will have stack protection active and protecting.

 

Seems a potentially nasty bug discovered and a proper fix coming with new capability for the latest CPUs. Wonderful work!

 

I have no intention of hi-jacking your conversation with David but to clarify the answer to your above inquiry I'd like to add that a fix for a newfound flaw within primordial Sandboxie-code could not possibly force the OS to handle any programs that run outside a sandbox in a different way - also and in particular concerning the utilization of "CET/Stack Protection" or not.

Davids "reg-hack" on the other hand does. So once a future release of Sandboxie will be able to cope with "CET/Stack Protection" for programs run inside Sbie you will have to manually remove any number of "reg-hack"-entries from the registry again which you may have applied as an interim fix. Only then "CET/Stack Protection" will be enabled and applied "globally" again.

 

Ooh even better! That's good to know. I wasn't sure if the fix just contained the reg hack built in that would take place on installing the upcoming version with the fix, or if it worked some other kind of magic that resolved the issue.

 

You're not hijacking, you're contributing! Which is completely welcome!

Good to know re the reg hack and that it would need undoing to re-enable CET/Stack Protection. I got my 11th gen machine back today but have decided I will leave things be until the fix is released. I would need someone to both explain EXACTLY how to implement the hack in step by step instructions (lol), and the same to undo it again. I'm not confident with mucking about in the registry to be honest. I'll just keep using Edge and FF until then.

 

Well, Davids "reg-hack"-code needs to be copied to a textfile verbatim and stored with extention ".reg", say "chrome.reg". If properly configured and within an admin-account you would then only need to double-click that .reg-file and "regedit.exe" would directly import it after some security-question popping up if you really want to do that.

Having that said it certainly is a wise decision not to mess with the registry unless you know EXACTLY what you're doing there. For instance it would be stupid to delete the .reg-file after application as you need that exact path in there to re-identify that entry among "millions" of registry-statements later on in order to undo it again by deleting that very sub-key created by the import-process. And you better be damn sure to not accidentally mess around with some other crucial keys instead!

Should you be interested in exploring regedit or even experimenting with it you should always make a complete system-backup before - or at least one of the complete registry, which notabene is not that easy to do as the registry entries are not saved in a single file but rather in a so called "hive-structure" which can best be handled only by external registry-editing-tools for very experienced users and specialists.

 

please try the new build with the fix: https://github.com/sandboxie-plus/Sandboxie/releases/tag/0.9.2

 

Works as promised!

 

At first glance all seems well and the known issues straightened out. Quick recovery will now show the downloaded files in its window - until you redeem them by immediate recovery, that is.

As for the long-lasting, fundamental glitch in connection to "CET/Stack Protection" / "11th-gen-Intel"-machines things seem (almost) well again. I have removed the "reg-hacks" for Chrome and Opera again and in spite of thereby re-enabling "CET/Stack Protection" for both browsers - most recent Opera and Chrome - they will open again as they should. Browsing seems a bit slowed down but it is too early to make final conclusions here.

One thing though, when playing videos in Opera (like from CNN.com) I sometimes got some error messages of the notorious type like a reminder of the "11th-gen-Intel"-flaw-era.

Spoiler: SBIE2101

However the videos kept playing in spite of that. But I still think this has to do with "CET/Stack Protection"/"11th-gen" again as in the meantime with the "reg-hacks" applied such error-messages have been absent completely.

 

Am on a quick break at work so yet to test new build - will install when I get home. But just wanted to say that personally, I would rather have a few errors that can be closed and ignored if something still works fine, than have it so that stack protection is disabled universally like with the reg hack. Just me though. Thanks for the above instructions re the reg hack too. Did not get a chance to try it before the new build was released, but like you say - registry is best left alone unless one knows what they are doing!

 

Installed 0.9.2 on my 11th gen laptop and it works flawlessly! Awesome job David So I've tried Chrome, Brave and Vivaldi (latest stable versions of all) and all open quickly and all pages load as normal. Videos play with no issues. I haven't had any error messages pop up on my machine. I don't use Opera so can't comment on that one.

I'm using default/out-of-the-box settings for Sandboxie. Also I did not employ the reg hack - your fixed build came out before I had the opportunity!

 

Great to hear that everything seams to work fine,
from the get go I wasn't sure how easy it will be to fix and since I came across this registry setting quite early in my investigation I thought I'll share int in case the fix would take weeks. Now in retrospective it wasn't necessary.

That said I think that CET is from the many security mitigation's introduced in the last years, the only one that's really a major improvement, only second to the NX bit / XN flag. With stack protection ROP is no longer a viable exploit technique what makes the execution of code injected through some sort of memory corruption no longer possible. In a way it completes what was intended with the NX bit.

 

I'm glad it wasn't as much of a headache to overcome as you suspected it could be. You did well! *big pats of the back*

That's good to know about CET protection, and good your fix still enables it. Going to install this version on my other machines later if time permits. It feels very stable.

EDIT: Oh and you'll be pleased to know that Edge allowed me to download this version without warning it's an unsafe file and having to jump through hoops to get. FINALLY! Took enough reports to MS that this file is safe (I've filed about 15 so far).