Earlier this week, we reported that Microsoft Edge browser was successfully hacked several times by the contestants in the latest Pwn2Own competition that was held last week. In fact, Edge was the most hacked web browser in that competition. The highlight of the competition was when 360 Security succeeded a full virtual machine escape through Microsoft Edge using a heap overflow.
One of the main goals of browser security is to protect Remote Code Execution (RCE). In RCE, hackers escape from web code (JS and HTML) in the browser to run native CPU code to take control of the system. If hackers succeed in RCE, they can violate several other security protections of the browser. All browser vendors including Microsoft uses sandboxing technique to isolate the browser attack from rest of the system. In the past, Microsoft offered this sandboxing mechanism through a feature called as Protected Mode in Internet Explorer.
With Microsoft Edge, every Internet page visited by users will be rendered inside an app container by default, the latest and most secure client-side app sandbox in Windows. Microsoft Edge uses several app containers. At first, there was a parent app container for the Manager, which created a small number of additional app containers to host content from the internet separate from intranet content. With the Windows 10 Anniversary Update, Microsoft moved Flash into its own, separate app container. Whenever a hacker attempts to attack one of the app containers to get access to user’s device or personal data stored on the device, they’ll need to first escape from the sandbox.
Microsoft recently blogged about the improvements they are making in Edge with the upcoming Creators Update of Windows 10 to strengthen the Edge sandbox. They are doing it by significantly reducing the attack surface of the sandbox by configuring the app container to further reduce its privilege. They have created a tuned sandbox for the Microsoft Edge content process, with a much tighter fit to the functional needs of the software than a normal app container provides. Apart from the content process, Edge team has also put several other broker processes into tuned, less privileged app containers, again with a custom-crafted container profile built from capabilities. With these improvements, Microsoft is claiming the following numbers regarding the sandbox attack surface.
- 100% reduction access to MUTEXes: allow a process to lock up a resource, causing hangs.
- 90% reduction in access to WinRT and DCOM APIs: this is the large win here, dramatically reducing Microsoft Edge’s attack surface against the WinRT API set.
- 70% reduction access to events and symlinks: symlinks are especially interesting, because they are often used in creative bait & switch attacks to escape sandboxes.
- 40% reduction in access to devices: Windows supports many device drivers, and their quality is somewhat beyond Microsoft’s control. The tuned sandbox cuts off access to any device that Microsoft Edge does not explicitly need, preventing attackers from using vulnerabilities in device drivers to escape, or from abusing the devices.
As you all know, reducing the attack surface does not mean a hacker cannot escape the sandbox, but Microsoft is trying to significantly reduce the opportunities for attack. We will know how these improvements impact real-world attacks in the coming months.