Microsoft has today offered some details about its next level of browser security for the Windows 10 Creators Update. The company says Microsoft Edge Sandbox will receive significant enhancements to protect the web browser. Specifically, Microsoft wants to reduce the number of Remote Code Execution (RCE) breaches.
In its Windows Blog post, the company says it has already done plenty to shore up Microsoft Edge Sandbox against RCE. For example, the team uses technology like Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to stifle attackers using RCE techniques.
Microsoft protecting users from vulnerabilities is hugely important on Edge. However, hackers can still get RCE, despite recent improvements.
RCE breaches are where an attacker moves away from web code and runs their own code in the browser. With this ability, the hacker can violate code rules and potentially reach a wider system. Microsoft Edge Sandbox will be better equipped to stop RCE when the Windows 10 Creators Update arrives on April 11.
Sandboxing within a browser is not new or uncommon. All vendors do it as a way to protect the wider PC from infection or attack. For example, last year we reported on Microsoft sandboxing elements of Flash, separating its processes to protect the browser/machine.
With the introduction of Microsoft Edge, the company has a browser that runs entirely within app container sandboxes at all times.
Improving Microsoft Edge Sandbox
Microsoft says it is important to reduce the amount of discoverable code to eliminate vulnerabilities. This is also known as reducing the attack surface and has become important to Microsoft’s security on Edge. With the Windows 10 Creators Update, the company will “significantly” reduce the attack surface of the sandbox.
The app container (AC) users a process called deny-by-default, which stops any object unless it has allow control entry (ACE). An object with such an allowance would let the app container have access.
However, Edge app container is different as it does not let objects access a resource with just a security identifier. Instead, the AC must have a matching Capability identifier, or be a named AppID in a security descriptor.
In the post, the company expands on the Microsoft Edge Sandbox improvements and details how Edge now handles brokers. The company also points out the changes made for the Creators Update will have a profound impact. The following reduction in sandbox attacks will be huge:
- 100% reduction access to MUTEXes: allow a process to lock up a resource, causing hangs.
- 90% reduction in access to WinRT and DCOM APIs: this is the large win here, dramatically reducing Microsoft Edge’s attack surface against the WinRT API set.
- 70% reduction access to events and symlinks: symlinks are especially interesting, because they are often used in creative bait & switch attacks to escape sandboxes.
- 40% reduction in access to devices: Windows supports many device drivers, and their quality is somewhat beyond Microsoft’s control. The tuned sandbox cuts off access to any device that Microsoft Edge does not explicitly need, preventing attackers from using vulnerabilities in device drivers to escape, or from abusing the devices.