Under the hood of Windows 8

This is a very long (but worthwhile) read for anyone interested in the performance and security benefits on Windows 8:

http://arstechnica.com/information-...er-on-the-inside-under-the-hood-of-windows-8/

A few security highlights:

The (bad?) news (for some) is that this pretty much proves that IE10's sandbox is a lot better than Chromes. The really good news however:

It would literally be awesome if/when Chrome/Firefox/Adobe Reader, etc start implementing this. It will mean sandboxing is no longer a consideration in choosing which browser/software you use, and the user can focus on selecting said software over other features. So the user will free to choose their favourite PDF reader, browser, etc.

HEASLR:

Improved DEP:

Proactive defense:

I've skipped the performance benefits, but they are available for reading at the source.

 

That's the problem, right there. Other companies/invidual developers, such as Oracle, need to make their plugins work with the AppContainer mandatory label.

But, considering that ever since Windows Vista came out, Sun/Oracle never really cared about making Java plugin properly work in a Low mandatory label, what would make you think they would start doing it now, just because there's something called Windows 8?

I could see it working if they were forced to use AppContainer; something that isn't the reality.
Even Adobe Flash Player that Microsoft bundles with IE10/Windows 8 doesn't work within the AppContainer mandatory label, which means Windows 8/IE10 users won't benefit from it, at all... if they use Flash Player, which I believe millions do use it.

So, at the moment, Google Chrome's sandbox is stronger than IE10's EPM, and simply because, unless millions of people do not use Flash (which is something I doubt it happens), then they will need to disable* EPM, and the only thing they will have left is Protected Mode, which is way inferior to Chrome's sandbox.

But, I agree it would be great if they all made their plugins work in AppContainer.

-edit-

They actually won't need to disable it, as I believe it comes disabled by default in the Desktop Mode.

 

If every browser starts supporting it, there will be a LOT more pressure on vendors to support it. Obviously not straight away, but definitely in the immediate future. How many websites bothered to start using HTML5 features until IE9 was out? Not many.

Complete nonsense, I don't know where you got this from. It works fine in EPM.

That's entirely incorrect. What you're trying to say is Chromes sandbox "is more viable", it is in no way stronger. When you consider that the most popular plugin is flash (and probably the only plugin that most Wilders members use), EPM is entirely viable.

Yeah, but it won't be long until the Windows 8 "tips" site start suggesting turning it on, until educated users start turning it on for friends and family, until the new IE10 exploits that are published come with a "we recommend turning on EPM to prevent this exploit", etc, etc.

 

For them to feel the pressure, the vast majority of Windows XP/Vista/7 users will need to move on to Windows 8, so that Windows 8 becomes more used than any of the previous versions. Maybe I'm wrong, but I highly doubt it will reach the "fame" Windows 7 reached. Just me thinking it out loud. Time will tell for sure.

All the info I remember reading mentioned that Enhanced Protected Mode needs to be enabled when in IE10 Desktop Mode, and that not all add-ons/plugins are compatible. -https://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx?Redirected=true

The article is from March, but I don't think this changed that much as of today. And, for us to see an actual change and benefit from it, these add-ons developers should feel the pressure to do it, and the won't happen unless Windows 8 becomes a success... but, most likely it will be a disaster like Windows Vista was.

If no change was done to make them compatible with Protected Mode, why would they make it compatible with Enhanced Protected Mode? And, will most Windows 8 users be using the Metro version of IE10, which won't allow to run plugins, at all? I highly doubt it, and therefore I don't see much of a pressure on the developers side to develop AppContainer compabible plugins. I hope I'm wrong, though.

Regarding Flash Player itself, I truly don't recall where I've read it... or if I even misinterpreted what I read, but could you provide a screenshot showing IE10 Desktop Mode with EPM enabled, running Adobe Flash Player in AppContainer? I can't run Windows 8 myself to see it.

Stronger, more viable... There was an NSS Labs report quite sometime ago, where they showed that IE9's Protected Mode wasn't as strong as Google Chrome's sandbox, and considering that recently Chrome's sandbox has been enhanced to, among other things, to run under Untrusted mandatory label, it got stronger. (Let's not confuse it with unbreakable.)

In my book, it makes it stronger.

Also, I wasn't aware that WSF members are what matter in the WWW? Are you forgetting about millions of other users? According to the forum stats, WSF has 124,342 members. I wouldn't say that it makes EPM viable... but, that's me.

It won't take longer until they ask them to remove it again, because websites are broken due to incompatible plugins with EPM.

EPM was the only change to IE's sandbox, and without it, due to incompatible plugins, millions of users would be left without nothing but good old IE Protected Mode.

I'm not against EPM. I'm in favor, ofcourse, but I'd rather see them following Google foot steps and make IE tabs/renderer processes run with Untrusted label as well. If EPM wouldn't work for their situation, they would still have a stronger Procted Mode.

 

Not really. Browser vendors will want to take advantage of the free sandboxing in Windows 8 so that they can boast about it. There won't be much boasting unless they bring the heat to plugin vendors.

I suggest you re-read what I actually said.

Start reading the numerous threads on Wilders about this, half the point of building it into IE10 was EPM support. How do you think they have flash running under Metro IE10? Yeah, it's been that way for months, since the Windows 8 Release Preview.

What does IE9's sandbox have to do with AppContainer? Nothing. AppContainer is stronger than Untrusted.

We're talking about security.... Like I already said, standard users won't be turning this on unless told to do so. So talking about Wilders members is very relevant as Wilders members are actually interested in this sort of thing. Also last I checked, Flash is the most popular plugin in the world (EPM compatible) no other plugin even comes close to it.

What websites? The billions that use Java? Ah, right, so many do! Browsing with EPM is perfectly possible, but you'd rather just dismiss it without even trying it right? When you encounter those rare websites that actually use a plugin that isn't flash, you'll get a simple notification asking you to reload the website. That website will then be placed on a blacklist to be loaded without EPM, and that's all done automatically. Installing a program is more complex... I have been browsing various sites since I installed the Release Preview back in August, nearly 3 months ago. How many sites require me to disable EPM? ONE! The Battlefield 3 Battlelog. Do I actually have to do anything? Nope. I simply browse to the site and it automatically loads outside of EPM, I don't need to disable EPM to do so. 0 hassle.

I'm sorry? I didn't realize you were part of the Internet Explorer team to make such a bold claim. Please, bestow what other inside knowledge you have? There have been numerous blogs over the year, although not sandbox specific, explaining IE10's improved security outwith EPM.

But on topic, with EPM, millions of users will be experiencing the most secure browser on a Windows machine to date.

You clearly are against it which is hilarious as you've not even tried it. Again, AppContainer/EPM is stronger than Untrusted so why should they downgrade their security to Chrome's just so it can work on a minor amount of websites? The better course of action is pressuring the few plugin vendors and keeping the improved security, thanks.

 

As I said, I hope I was wrong. But, did browser vendor take advantage of Windows Vista/7 free sandboxing? To the exception of Google, not really. How many years have passed? Again, I hope I'm wrong, and I do hope that it forces plugin developers to make them compatible with AppContainer.

You said Complete nonsense, I don't know where you got this from. It works fine in EPM. (Regarding Flash Player) Is that it? Or, do you have something else in mind?

I thought the Metro version of IE10 was plug-in free, and that in order to use plugins, IE10 users would need to run them under Desktop Mode? So, how do they have it running under Metro IE10? This is something I actually read in Microsoft IE team blogs.

Please, re-read what I actually said.

Yes, indeed... standard users won't be turning this on unless told to do so... which represent the largest % of users worldwide. Therefore, Internet Explorer 10 EPM won't be any good for millions of users who will need to use their daily plugins... until the day comes that all plugins work in EPM.

I'm already predicting a large % of computer shops technicians telling their clients not to use EPM, at all, due to plugins breaking if enabled. Must like they disabled UAC in previous version without even telling their clients what UAC is, etc.

And, somehow I highly doubt that a few hundreds on WSF users will be making wonders for the millions of users out there. It's simply the reality. You may change it to a few close family members and friends, but that's it. It hardly will hit millions of users. It just won't.

It actually isn't about the % of websites that make use of ABC plugin. It's actually about the % of users that actually do need to use Java/other plugin in specific websites. Who cares about millions of websites that have no need for Java, if a few dozens/hundreds/whatever need their many other millions of users to have it?

I never said browsing with EPM wasn't possible, nor am I dismissing it. I actually mentioned I can't try Windows 8. Blame Microsoft for that, as they removed support for the laptop's graphic card, something Windows 7 Aero accepted quite well. But, that's another talk.

It's great to know it's all done automatically when a website loads an incompatible plugin. I just hope IE10's Protected Mode will suffice against an exploit for that plugin... but that's another talk.

Interesting... I thought we were discussing about the sandbox (only the sandbox), and not any other security functionality? So, please do tell more about IE10 Protected Mode vs Enhanced Protected Mode.

IE10 Protected Mode is the same as IE9's Protected Mode. Therefore, once EPM is out of the equation, the user will be left with Protected Mode, which unless someone shows me evidence that reveals the contrary, both IE9 and IE10 Protected Mode are the same.

Quite funny for you to claim what others are against/in favor.
Have I mentioned anywhere that AppContainer/EPM is weaker than Untrusted? lol I know very well it isn't.
Where have I mentioned for them to downgrade EPM/AppContainer to Untrusted? LOL I actually mentioned for them to upgrade their LOW (Protected Mode, not Enhanced Protected Mode) to Untrusted. This is the difference.

So, the best course of action is upgrading IE10's Protected Mode to support Untrusted label, rather than Low label... along side with EPM. Which is what I've mentioned, not to ditch EPM (which would be stupid, actually).

 

Yes.. the programs that needed it, did infact make use of integrity levels. Only people that are obsessed with everything running on Low when it is entirely unnecessary think programs haven't. There is a difference between need and want.

Your entire statement about flash player was complete nonsense. You made a guess based on something you read over a year ago (developer preview) and decided to apply it to today.

Lol? Do you even know that IE10 has flash built in? Or are you just spewing out fiction hoping it to be fact? Please, don't bother trying to debate something you clearly have no clue about. You could have saved us both hassle and simply read about it.

It was announced (in March?) that IE10 will have a more power efficient and touch optimized version of Flash built in. This will load in IE10 Metro for all sites that are included in the 'Compatibility View' list, including big sites like YouTube. This version of flash works in Windows 8 and Windows RT, will be automatically updated, and used on the desktop version of IE10 also. This plugin can be used in and out of EPM, whichever you choose.

I did.... You brought up IE9's sandbox being weaker than Chromes, wow, that relates to this topic so much. Riiiight?

So you're dismissing a perfectly good protection mechanism because of some crazy idea that millions of users can't use it? Right.

Please do us both a favour and actually read about how EPM functions. No one will be giving this "advice".

I stated this... where? Please re-read what I actually said.

ROFL what kind of logic is that? You do realize that a site needs to USE a specific plugin for the user to even get any form of message about a plugin being incompatible, right? No, you don't, because you have absolutely no clue how it works, despite my explaining it in my earlier post.

Let me try and explain how it works to you. It doesn't matter if every single user in the world had Java installed, they could all use EPM. When they arrive at a website that actually USES Java, they will be given a notification to refresh the page without EPM. This is a 1-click process that's saved permanently to a IE-stored blacklist.

Having Flash support EPM was very important because it is literally everywhere on the Internet. No other plugin in existence can make that claim. It is highly unlikely for the average user to come across more than 1 or 2 of the sites they browse that actually uses a plugin that isn't flash.

So, let's recap. I can browse the Internet with EPM perfectly fine. I have Microsoft's version of Flash which works fine in EPM. I also have several other plugins installed: Microsoft Silverlight, Windows Media Player, Battlefield 3 plugins. I don't get any sort of warnings about these plugins, browsing just works. Now, if I happen to land on a website that actually uses these plugins, that's when I'll get a refresh notification. It's really as simple as that.

Microsoft has nothing to do with "supporting your graphics card". I have a laptop from 2008 with an AMD card and even AMD published Windows 8 drivers for "legacy" cards.

Again, please stop making blanket claims with no evidence.

 

Appcontainer is obviously more finely grained and more powerful than Untrusted - read access being the difference since there's no write access in either case and I'm fairly certain Chrome's renderer doesn't have read or write. It's probably more powerful than Unutrusted with the restricted Job tokens as well though not by any large amount - regardless it's a matter of defense in depth.

I don't see what the argument is about - seems clear that AppContainer is stronger than Untrusted.

It's worth noting that as far as I can see IE keeps tabs and the renderer processes in the same process - can anyone confirm this? I can't find documentation that's clear enough. The Chrome documentation makes it clear that they're separate processes, which is certainly an advantage but there's no clear 'winner' between the two sandboxes yet.

Whether it's as viable or not is interesting but IE10 seems to have a really simple system - reload to disable it for that tab.

And hasn't it already been shown that Chrome uses AppContainer on Windows 8? Thought someone used Process Explorer a while back to show this.

 

You do realize that with Vista+ all processes make use of integrity levels? Anyway, so saying that Firefox, Opera, etc should have been running under a native sandbox (WMIC), since Vista came out, is an obsession? I'm totally lost here. And yes, that's the difference - I'm talking oranges, you're talking potatoes.

Actually, something I read in March (2012). But, I've been researching while discussing this, and yes it became compatible -http://www.webmonkey.com/2012/06/internet-explorer-10-metro-now-with-adobe-flash/

I never came across that one article, nor any other article before. To be honest, considering that I can't run Windows 8, and therefore can't run IE10 never had much interest in knowing all the details, but wanted to keep in touch once in a while.

For that, I'm humble and say I was wrong.

Yes, it relates. How? Internet Explorer 10 still has Protected Mode, which is the default for IE10 Desktop Mode, and will default to it when a plugin isn't compatible for ABC website using it.

And, yes it's still the same Protected Mode -http://technet.microsoft.com/en-us/library/jj128101.aspx

Enhanced Protected Mode is a new feature in Internet Explorer 10. It extends Protected Mode, which was introduced in Internet Explorer 7 for Windows Vista. Protected Mode helps prevent attackers from installing software or modifying system settings by reducing some of the capabilities available to Internet Explorer. Enhanced Protected Mode extends this concept by further restricting capabilities for accessing personal information, and for accessing information on corporate intranets.

Again, I'm not dismissing it. I'd rather see Microsoft enhance Protected Mode as well. That's all. Do you see something wrong with that?

I hope not.

What's so funny about it? If you think about it, what importance does it have that 1000 (this is a theoretical number) websites run Flash, if only 10000 users visit those websites? On the other hand, there could very well exist just like 10 websites running Java, and yet 10,000,000 users accessing it. Get it?

Isn't it logical?

Really? You do realize that to run Windows 8, you need a DirectX 9 graphics processor with WDDM driver? My laptop originally came with Windows XP, and Windows 7 supported XPDM. Windows 8 does not.

-http://windows.microsoft.com/en-US/windows-8/upgrade-to-windows-8

Intel didn't even provide support for Windows 7 (so one could use the eye candy Aero), for sure won't do it for Windows 8. lol

Read one of the previous links, and you should be the one to stop making such claims. Also, don't you think that Microsoft would have mentioned a word about an enhanced Procted Mode, as well?

 

I assume you're not talking about standard per-tab process isolation, in which case, I wouldn't know.

It is infact incredibly easy but unfortunately not good enough for Microsoft to turn it on by default.

I don't know, but this is what I WANT to happen, for all browsers! It would make Firefox and Opera actually viable for me on Windows.

 

In IE as far as I can tell the tabs share a renderer process but I'm not sure. I doubt they each get their own - I just can't find anything for this.

Even with Firefox and Opera adopting this their security wouldn't match Chrome/IE's. But I believe Chrome already does use Appcontainer.

 

It was me, and it was on Windows 7, not Windows 8. Chromium renderer processes show as being AppContainer. But, according to something that user Kees1958 mentioned, this happens only if users have installed the AppLocker hotfix that fixed those intentional holes (If you still remember them.). I already had the hotfix installed, so I have no way to tell if it's related in any way, but I'll take his word for it.

 

Can you tell me why that would matter if they were all in AppContainer?

In what way?

 

Wasn’t aware of the AppLocker hotfix until reading this post. I had Chrome’s processes showing as Untrusted. Installed the hotfix and they now show as AppContainer. So Kees1958 was dead on.

 

By the way, it isn't just Chrome's processes showing as AppContainer. There's also an svchost.exe process, related to the services Base Filtering Engine, Diagnostic Policy Service, Windows Firewall that also shows AppContainer. (In my system anyway. I'm hoping I'm not "special". )

 

@Elapsed,

Sure. More information would be compromised in a single attack. If I attack a renderer process in Chrome I get virtually nothing, all it needs is read access to fonts pretty much. If that process is combined with what tabs need then as an attacker I've gained more.

If Appcontainer allows for each process to reach its lowest possible access then combining processes will combine the access.

They would be "whole browser" sandboxes. Whereas Chrome has a renderer split into multiple processes and tabs in each separate process and extensions etc etc. Firefox and Opera only split all plugins into a separate process. You'd end up with a much looser sandbox that applies to the whole browser as oppose to individual sandboxes for the individual parts.

In the Apparmor topic this becomes very clear. Users in there were experimenting to get least privilege as strong as possible, you can see that if you do a whole browser sandbox for Chrome you end up giving an attacker a lot of rights but if you split your apparmor profile between the Chrome sandbox and the Chrome tabs you wind up with a much stronger sandbox.

edit: As far as I can tell Chrome on Windows 8 is not using Appcontainer.