Improved Windows Security? Microsoft launches Win32 app isolation
Microsoft launched a preview of a new security feature for Windows earlier this month that it calls Win32 app isolation. The feature uses containers and Microsoft claims that it adds security protections to Windows to help protect against vulnerabilities of the application that uses Win32 app isolation.
In one sentence: Win32 App Isolation needs to be implemented by developers to give users more control and limit the capabilities of exploits.
Microsoft notes on the official Windows Developer blog that a main focus of Win32 app isolation is zero-day attacks.
Microsoft's Windows operating system has a number of tools and security features to prevent or limit malware attacks. From the User Account Control, introduced in Windows Vista, to modern features such as Windows Sandbox or Microsoft Defender Application Guard.
Windows Sandbox, for instance, is an excellent tool for Windows 10 and 11 systems to run files in an isolated environment. Windows Sandbox supports configuration files, which allow administrators to customize the environment.
Win32 App Isolation
Microsoft wants Win32 App Isolation to become the default isolation standard on Windows clients. It works well together with other security features, such as Smart App Control, according to Microsoft. Smart App Control is limited to new Windows 11 systems, however.
Win32 applications, classic programs for Windows, that run with user rights have access to all user data currently. Microsoft notes that this is a big risk, especially since users are not informed about access or get a say in the matter.
The company writes: "Consequently, there is a risk of unauthorized access to the user’s privacy data by malicious actors without their knowledge or consent."
Microsoft lists three key objectives of Win32 App Isolation:
- Make it significantly harder for attackers to cause damage on Windows systems.
- Provide a seamless user experience for isolated apps.
- Reduce developer effort to onboard apps.
When an application utilizes app isolation on Windows, it can't access a user's private data without permission anymore. While it may access some system files, such as .NET libraries or protected Registry keys, it needs to prompt users when it wants to access images, documents, the location, microphone or files.
Microsoft is aware that users could be tricked into granting access by malicious apps and it implemented preventive measures into the technology. Developers need to include support for prompting users to access private data in their application. If they don't, they can't be exploited to ask users for permission.
File access, furthermore, is limited to specific files that the user selects. These do not necessarily require prompts, as selecting a file is automatically seen as granting permission to access that particular file.
Microsoft explains: "When the user grants consent to a specific file for the isolated application, the isolated application interfaces with Windows Brokering File System (BFS) and grants access to the files via a mini filter driver. BFS simply opens the file and serves as the interface between the isolated application and BFS".
Win32 App Isolation supports a learn mode, which logs the additional capabilities required for access, but does not prevent access.
Closing Words
It is doubtful that Win32 App Isolation will get a lot of traction in the coming months and even years. The biggest hurdle is that developers need to implement it in their applications. While some may do, especially those with a focus on privacy, security or important data, most will likely ignore the feature.
There is also the chance that Win32 App Isolation prompts may annoy users, if they see too many prompts for data access throughout their workday.
Last but not least, Win32 App Isolation will likely be exclusive to Windows 11 and future versions of Windows.
Taken together, there is a good chance that some Windows programs will implement Win32 App Isolation, but the vast majority will likely ignore the feature.
Now You: what is your take on the new feature?
I’m an iPad user, so miscellaneous impressions based on Martin’s article:
This is a security measure that allows the user to control the “Win32 app” in order to prevent unintended behavior by the user.
A similar example is “Optional permissions for added functionality” when implementing browser extensions.
https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions
Well, users who prefer Google chrome will not understand such a feature due to their lack of manual control skills and their technological blindness.
come on now, there are going to be lots of tech savvy people using chrome, no need for blanket insults.
Question: What is the backstory on the Firefox extension ‘Priv8-Sandbox’.
I’m curious as to why the addon ‘Priv8-Sandbox’ was Deprecated.
Thanks in advance.
@11r20,
> Question: I’m curious as to why the addon ‘Priv8-Sandbox’ was Deprecated.
For the time being, I looked it up.
Development support for this addon has been dead for 6 years.
https://github.com/bakulf/priv8
https://github.com/bakulf/priv8/issues
Developer:
https://github.com/bakulf
The reason for the suspension (abandonment) is unknown.
That’s why.
“regular user” barely blinks when you’re about to finish explaining what “sandboxing” is and just double-clicks on his new downloaded file as an answer. A pointless addition imo.
MS has abandoned the notion of trying to have a speedy, lean, OS – so this kind of thing fits right in.
But I don’t really understand it – at workspaces, you will already be using trusted/tested software. This is surely just for regular users, then? But at the same time, many regular users also won’t be interested in such a thing. So who is this for?
> “Now You: what is your take on the new feature?”
I would prefer an option to execute all Win32 apps in some kind of forced isolation.
You may run select apps in Windows Sandbox.
@Martin, thanks for the recommendation! :]