Microsoft has released the public preview of its Win32 app isolation feature, a new security measure designed to sandbox 32-bit desktop applications. The feature was unveiled during Microsoft's Build 2023 conference and aims to enhance security by mitigating potential harm caused by compromised applications and protecting user privacy. It is available for Windows 11 Build 22621.1825 and beyond, which are currently available in the Windows Insider Preview Channels.
AppContainers for Sandbox-like Isolation of Apps
Win32 App Isolation uses AppContainer to ensure that apps run with low privilege, implementing the principle of least privilege to prevent unauthorized access to user information without consent. The feature is an addition to the existing Windows sandbox options, such as Windows Sandbox and Microsoft Defender Application Guard. However, unlike these options, which are based on virtualization-based security, Win32 app isolation is built on the foundation of AppContainers.
David Weston, Microsoft's Vice President for Enterprise & OS Security, explained that the Win32 application is launched as a low integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level. If an app vulnerability is exploited, the AppContainer execution environment ensures that the Win32 app remains restricted to the resources granted within its confines.
Move Against the Rise of Zero-Day Attacks
Win32 App Isolation is a response to the rise of zero-day attacks in recent years, many of which now target popular desktop applications. It aims to force Win32—desktop—apps to not run with the same security privileges as the user. So apps that use Win32 app isolation run at a lower privilege level, limiting the amount of damage they can do if compromised.
Developers can update their Win32 apps by implementing isolation measures using tools provided by Microsoft. This allows them to enhance the overall security of their software and the devices it will run on by ensuring that it doesn't add to the system's attack surface. For comprehensive guidance and further details on Win32 app isolation, developers can visit the GitHub page provided by Microsoft.
