A few days ago, it was revealed that Microsoft Edge was the most-hacked browser at the annual Pwn2Own event, and was successfully exploited at least five times. The company has now vowed to improve the security of its browser’s sandbox.
In a new blog post, Microsoft has detailed how despite its best efforts, hackers sometimes manage to run native CPU code on the host PC using Remote Code Execution (RCE). As a response, the company is strengthening the Edge sandbox with the Windows 10 Creators Update, which is reportedly coming next month.
Microsoft says that since Edge does not support ActiveX, it’s able to run inside app container sandboxes at all times, isolating them to limit the chances of malicious exploitation by attackers. The company says that:
One of the most effective ways to eliminate vulnerabilities in complex applications is to minimize the amount of code that an attacker can try to find vulnerabilities in. This is often referred to as attack surface reduction and it is a key tactic in our overall strategy security. To this end, Microsoft Edge in the Creators Update of Windows 10 has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.
Microsoft claims that web browsers are some of the most threatened pieces of software, the company has gone the extra mile to add layers of security, providing a “tuned sandbox” for the Microsoft Edge content process. It has also clarified that this is not how the Universal Windows Platform (UWP) works, but since web browsers are arguably more vulnerable to attacks, the extra effort is worth it.
The company also says that it is making it more difficult to exploit sandbox escape vulnerabilities using several techniques which limit the use of “broker interfaces” – which are pieces of code that can be utilized by an attacker to grant access to defined policies. Microsoft claims that its tightened sandbox for Edge has resulted in the following improvements:
- 100% reduction access to MUTEXes: allow a process to lock up a resource, causing hangs.
- 90% reduction in access to WinRT and DCOM APIs: this is the large win here, dramatically reducing Microsoft Edge’s attack surface against the WinRT API set.
- 70% reduction access to events and symlinks: symlinks are especially interesting, because they are often used in creative bait & switch attacks to escape sandboxes.
- 40% reduction in access to devices: Windows supports many device drivers, and their quality is somewhat beyond Microsoft’s control. The tuned sandbox cuts off access to any device that Microsoft Edge does not explicitly need, preventing attackers from using vulnerabilities in device drivers to escape, or from abusing the devices.
That said, Microsoft has cautioned that this does not completely eliminate the chances of an attacker escaping the Edge sandbox, it certainly reduces the chances of that happening. As such, the company has said that “security is a process, not a destination”, so it will be looking for ways to further improve the security of its Edge browser.