Julien-Manici.com Language : French | English

Internet Explorer 10 gets a new sandbox : Enhanced Protected Mode

Written on 2012-03-04

UPDATE 2013-11-13:
Well, it didn't last long : Enhanced Protected Mode (EPM) was enabled by default in IE11 Desktop on Windows 8.1 RTM, but Microsoft has published an update for IE11 on Windows 8.1 on 2013/11/12 that disables the Enhanced Protected Mode on IE11 Desktop.
Everything is back to the same state as on Windows 8.0 : IE Metro is unaffected and still runs in Enhanced Protected Mode, while IE Desktop runs in the classic Protected Mode sandbox from the Vista era.

UPDATE 2013-11-07:
On Windows 8.1 and RT (8.1), Enhanced Protected Mode is now enabled by default on both IE11 Metro and IE11 Desktop.
However, on Windows 8.1 64-bit, Microsoft decided that IE desktop would run in 32-bit mode by default, as opposite to IE Metro that continues to run in 64-bit mode. There is a new option in the Internet Options window to enable 64-bit renderer processes for IE desktop. I advise you to enable it in order to improve security (memory mitigation technologies such as ASLR are harder to bypass in 64-bit mode).

Learn more about the compatibility changes in IE11 on Windows 8.1 here.

UPDATE 2012-12-22: I wrote this article initially in march 2012, shortly after the release of Windows 8 Consumer Preview. Back then, Microsoft hadn't talked much about about the Enhanced Protected Mode (EPM) in IE10, which is why I decided to write this article. At that time, Flash Player was not yet compatible with the EPM, but since the release of Windows 8 Release Preview (and then the final version), as I expected it, Adobe has created a version of Flash Player compatible with EPM.

---

When Windows Vista and Internet Explorer 7 were released in 2006, Microsoft introduced a security feature called "Protected Mode" (or Low Integrity Mode). Basically, it was a way to sandbox IE while preserving a rather good level of retrocompatibility with plugins.

In september 2011, during the BUILD conference, I was told that, in Windows 8, Internet Explorer 10 would be sandboxed in a new way that will greatly improve its security. So much that Microsoft expects Google Chrome to use the same sandbox in the future. However, in the Developer Preview of Windows 8 this sandbox was not yet enabled.

Since the release of Windows 8 Consumer Preview, it is now enabled by default on the Metro version of IE10 (but not on IE10 desktop)

How to enable it on IE10 desktop too

Open Internet Options, go to the Advanced tab, in the Security section, check the "Enable Enhanced Protected Mode" checkbox, then click OK and restart IE.

Why we need sandboxed web browsers

Assuming that it is impossible to detect and fix every security flaw in an application that contains millions of lines of code, a security sandbox reduces the severity of future 0day security flaws that could cause arbitrary code execution.

Most power users wrongly assume that an user is safe as long as he is not running as administrator (or root), but malwares running in a limited user account can do almost as much damage as those running as root: they can automatically start when you log in, capture your keystrokes, get the passwords saved in your web browser, send them to a remote server controled by a malicious person, alter your personal files, infect files on an usb key, launch attacks on your local network or send spam as part of a botnet. This is true on any OS, including Linux and OSX too.

In an unsandboxed browser, like Firefox or Opera, if the user visit a web page containing an exploit for an unpatched flaw in the browser (or a plugin like Flash Player or JAVA), malicious code will be executed with the same level of privilege as the browser. That is, if the user runs as a limited user account, a malware could be installed in the user profile and could be very harmful.

In a sandboxed browser, Like IE7 on Vista or Google Chrome, if an exploit is successful, the malicious code runs with the level of privilege provided by the sandbox : in the case of Protected Mode, that means the malware has no write access to the file system, no write access to the registry, and limited ability to interact with other windows on the user's desktop (it would not be able to listen for keystrokes in another application). At worst, it could steal data stored on the user profile, but it could not persist after a log off. Although not perfect, that is a huge improvement, and since there is no permanent infection, there is not need to clean up the mess.

The shortcomings of the "classic" Protected Mode

Unfortunately, it has been show that the classic Protected Mode is not restrictive enough, and hackers could exploit unrestricted features like interprocess communication to escape the sandbox. Microsoft can't patch that during the lifetime of Windows Vista/7, because that would cause current plugins to stop working.

In the meantime, Google Chrome's sandbox has become more secure since it improves protected mode by denying read access to the file system to the tabs processes. Chrome can do that because it runs plugins in an external unsandboxed process, which lowers the security since plugins are not sandboxed (except Flash Player which is partially sandboxed since Chrome 11, as it is on IE too)

Enters the "Enhanced Protected Mode" (EPM)

As IE10 Metro was marketed as a "no plugin" browser, it was the perfect candidate to implement a more restrictive sandbox.

Here is what it does:

As I said earlier, blocking read access to the file system and registry causes any plugin not compatible with EPM to stop working, including Flash Player (update: Flash Player is now compatible with EPM), which is exactly why Microsoft didn't block read access in the original Protected Mode. Every Plugin need to be partially rewritten to account for these new restrictions. This could take a long time, or never happen at all.

Fortunately, if the user enable the Enhanced Protected Mode in IE10 desktop, he can benefit from the improved sandbox, and when he visits a web page which requires a plugin that is not compatible with EPM, IE asks him if he wants to Disable the Enhanced Protected Mode in the current tab and fallback to the classic protected mode in order to load any plugin the page may require (for the current tab only, and future tabs displaying pages hosted on the same domain).


Process Explorer showing the privilege level of 2 tabs running in an IE10 window: the Youtube tab is running as "Low" integrity (classic protected mode) because the user has allowed IE to disable EPM on youtube.com to run Flash. The other tab is still running in EPM, but since the site has Flash content too, IE displays a message asking the user if he wants to disable EPM on this tab too.
Since Windows 8 Release Preview, Flash Player is compatible with EPM, which means the prompt in the above screenshot is no longer displayed when a page contains Flash content. The content runs directly, as it did in previous version of IE. EPM and the AppContainer no longer need to be disabled. However the above screenshot shows what still happens when a page wants to display content that require any other plugin that is not compatible with EPM, such as Silverlight or JAVA.

Thanks to this fallback mechanism, trusted websites can display any content such as Silverlight content (but are still sandboxed with the classic sandbox), while untrusted sites are run in the more restrictive EPM sandbox even in the same browser window (thanks to the fact that IE runs each tab in a separate process since IE8, it can give each tab a different level of sandboxing).

Since Windows 8 Release Preview, Flash Player is shipping with Windows 8 (and even Windows RT). It is updated using Windows Update, and most important, it is now compatible with EPM!
Even better, Microsoft decided to add Flash Player support to the Metro version of IE. Flash Player is the ONLY plugin allowed to run in Metro IE. Even Microsoft's own Silverlight didn't get this treatment (actually, Microsoft didn't even release an EPM-compatible version of Silverlight).

Also note that IE Desktop on Windows RT 8.0 is running with EPM disabled by default (only the old Protected Mode is enabled), exactly as on Windows 8.0 x86/x64. I was first surprised Microsoft didn't use this oportunity to enable EPM by default, because there is no legacy plugins to support on Windows RT, since it's a brand new platform that can't run existing x86 plugins and software anyway. Then, after enabling it, I saw that a few plugins created by the Office team were not compatible with EPM, and were disabled at startup, which explains why Microsoft hasn't enabled EPM by default. I still advise you to enable EPM if you care about security, as you should not miss these plugins anyway.
I hope at some point the Office team will release an EPM compatible update of these plugins, so that Microsoft can enable EPM by default in the next revision of Windows RT (which should be RTM around august 2013, at the same time as Windows 8.1).