[laurent123456]

But the point still hold. Let's say the script interpreter of MS Office (or gimp or sublime, etc.) needs access to the hard drive. The system, no matter how locked up, still needs to give full access to the hard drive, unless they want to break the app.

From there, the same exploits that were previously possible are possible again - they can, if they break out of whatever sandbox is in place, access everything. I guess the OS might work better for apps that don't need these rights to begin with, but then these apps usually aren't much a problem in regular OSes anyway.

[icebraining]

The thing is, parts of the app might need access to the hard drive, but that doesn't mean the whole app needs it. For example, your email client as a whole needs hard drive access, but the email parser just needs a channel to receive the messages and return a data structure, so you can isolate it and then if an email is sent that tried to explore some bug in the parser that achieved code execution, it still couldn't delete or read your files.

For example, see the Chromium architecture: http://www.chromium.org/developers/design-documents/multi-pr...