Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Windows 10 Creators Update Delivers a More Secure Edge

windows hero 325x196 acf cropped

In today’s Ask the Admin, I will look at how Microsoft is providing a more secure browsing experience with Edge in the Windows 10 Creators Update.

Microsoft Edge took a bit of a bashing at last week’s annual Pwn2Own competition. It came out on top as the most hacked browser. Considering how Edge is positioned as more secure than Chrome and Firefox, this is something of an embarrassment for Microsoft. On day one of the contest, Tencent Security – Team Ether managed to break out of the Edge sandbox. They were using an arbitrary write-in within the browser’s JavaScript engine, Chakra. On day two, Tencent Security – Team Lance, with some help from Team Sniper, exploited a Use-After-Free (UAF) vulnerability in Chakra. This elevated privileges to SYSTEM using another UAF vulnerability in the Windows kernel.

On day three, 360 Security exploited a heap overflow in Edge. Doing so helped them escape from a VMware Workstation virtual machine (VM). This was the first time anyone has performed a full VM escape at the competition. Edge was targeted again by Richard Zhu. He used two separate UAF flaws to escalate to SYSTEM using a buffer overflow in the Windows kernel.

Considering these results, it may be tempting to think that Edge is not as secure as Microsoft would have us believe. It is important to remember that Mac OS X and Linux were also successfully hacked. Also, keep in mind that the zero-day flaws in Edge will be patched by Microsoft in the coming weeks. Other factors, such as whether the attacks were carried out as Protected Administrators or standard users, might also affect whether the zero-days can be successfully exploited. But in what seems like good timing, the forthcoming Windows 10 Creators update will bring improvements to Edge security.

Microsoft Edge Sandbox

Like all Universal Windows Platform (UWP) apps, Edge runs in a sandbox environment, providing isolation from the OS and other applications. Edge processes are isolated in seven different sandboxes or application containers.

Windows 10 Creators Update Delivers a More Secure Edge In today's Ask the Admin, I'll look at how Microsoft is providing a more secure browsing experience with Edge in the Windows 10 Creators Update. Microsoft Edge took a bit of a bashing at last week’s annual Pwn2Own competition, where it came out on top as the most hacked browser, something of an embarrassment for Microsoft, considering how Edge is positioned as more secure than Chrome and Firefox. On day one of the contest, Tencent Security – Team Ether managed to break out of the Edge sandbox using an arbitrary write in the browser’s JavaScript engine, Chakra. On day two, Tencent Security – Team Lance, with some help from Team Sniper, exploited a Use-After-Free (UAF) vulnerability in Chakra, and elevated privileges to SYSTEM using another UAF vulnerability in the Windows kernel. Finally, on day three, 360 Security exploited a heap overflow in Edge to help them escape from a VMware Workstation virtual machine (VM), the first time anyone has performed a full VM escape at the competition. Edge was targeted again by Richard Zhu, who used two separate UAF flaws to escalate to SYSTEM using a buffer overflow in the Windows kernel. Considering these results, it may be tempting to think that Edge is not as secure as Microsoft would have us believe, but it’s important to remember that Mac OS X and Linux were also successfully hacked, and that the zero-day flaws in Edge will be patched by Microsoft in the coming weeks. Other factors, such as whether the attacks were carried out as Protected Administrators or standard users, might also affect whether the zero days can be successfully exploited. But in what seems like good timing, the forthcoming Windows 10 Creators update will bring improvements to Edge security. Microsoft Edge Sandbox Like all Universal Windows Platform (UWP) apps, Edge runs in a sandboxed environment, providing isolation from the OS and other applications. Edge processes are isolated in seven different sandboxes, or application containers. Figure 1 The Edge app container is denied access to secured objects, unless the object has an ALLOW access control entry (ACE) for a Capability, AppID or AC SID; and the requesting app container has the object (Capability or AppID SID) SID in its security token. The AC (ALL APPLICATION PACKAGES) SID is a wild card that allows all app containers to access a resource. Most WinRT APIs can be accessed using the AC SID. Reducing the Attack Surface in the Creators Update In the Creators update, Microsoft has acknowledged that Edge needs a stronger sandbox than other UWP apps, so has modified it so that it’s completely isolated from Windows Runtime (WinRT) APIs, and all resources that sandboxed apps can otherwise access, by requiring that the Edge app container explicitly use a matching Capability or AppID SID. And the AC SID will no longer be enough to be granted access. But to make this security model work, Microsoft created specific Capabilities to provide Edge with just enough access to required functionality, considerably reducing the attack surface. And because it’s a common target, a tuned app container is also used to isolate Flash. The use of broker interfaces, which provide access to resources based on policy, has also been reduced. Brokers run outside the app container, so are vulnerable to attack. The content process app container removes many brokers, and those that remain are subject to exploit mitigation technologies, that should make brokers harder to exploit. The Chakra JIT code generator and Flash were moved out-of-process and placed in specially-tuned app containers, because they broke when Arbitrary Code Guard (ACG) mitigation that was applied to the content process. The work Microsoft has carried out makes it harder for attackers to break out of the Edge app container, with a 90% reduction in access to WinRT and DCOM APIs. Other benefits include: • A 100% reduction in access to MUTEXes, so that a process cannot cause a resource to hang. • A 70% reduction in access to events and symlinks. • A 40% reduction in access to device drivers. In this article, I explained how changes Microsoft has made to Edge in the Creators Update will improve security. — Microsoft Edge App Container (Image Credit: Microsoft)

The Edge app container is denied access to secured objects unless the object has an ALLOW access control entry (ACE) for a Capability, AppID, or AC SID. The requesting app container will have the object SID (Capability or AppID) in its security token. The AC SID (ALL APPLICATION PACKAGES) is a wild card that allows all app containers to access a resource. Most WinRT APIs can be accessed using the AC SID.

Reducing the Attack Surface in the Creators Update

In the Creators Update, Microsoft has acknowledged that Edge needs a stronger sandbox than other UWP apps. It has been modified so that it is completely isolated from Windows Runtime (WinRT) APIs. All resources that formerly held apps in a sandbox can now be granted access. This is done by requiring that the Edge app container explicitly use a matching Capability or AppID SID. And the AC SID will no longer be enough to grant access.

To make this security model work, Microsoft created specific Capabilities. This provided Edge with just enough access to achieve the required functionality, considerably reducing the attack surface. Due to it being a common target, a tuned app container is also used to isolate Flash.

The use of broker interfaces, which provide access to resources based on policy, has also been reduced. Brokers run outside the app container, which makes them vulnerable to attack. The content process app container removes many brokers. Those that remain are subject to exploit mitigation technologies. This should make brokers harder to exploit. The Chakra JIT code generator and Flash were moved out-of-process and placed in specially-tuned app containers. This occurred because they broke when Arbitrary Code Guard (ACG) mitigation was applied to the content process.

The work Microsoft has carried out makes it harder for attackers to break out of the Edge app container. There has been a 90 percent reduction in access to WinRT and DCOM APIs. Other benefits include:

A 100 percent reduction in access to MUTEXes — cannot cause a resource to hang
A 70 percent reduction in access to events and symlinks
A 40 percent reduction in access to device drivers

In this article, I explained how the changes Microsoft has made to Edge in the Creators Update will improve security.

by Russell Smith
Apr 3, 2017

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
Microsoft Releases June 2023 Patch Tuesday Updates

Jun 13, 2023
How to Add Microsoft Store Apps to Intune

May 5, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.