Internet Explorer 10 gets a new sandbox : Enhanced Protected Mode
Written on 2012-03-04
Well, it didn't last long : Enhanced Protected Mode (EPM) was enabled by default in IE11 Desktop on Windows 8.1 RTM, but Microsoft has published an update for IE11 on Windows 8.1 on 2013/11/12 that disables the Enhanced Protected Mode on IE11 Desktop.
Everything is back to the same state as on Windows 8.0 : IE Metro is unaffected and still runs in Enhanced Protected Mode, while IE Desktop runs in the classic Protected Mode sandbox from the Vista era.
On Windows 8.1 and RT (8.1), Enhanced Protected Mode is now enabled by default on both IE11 Metro and IE11 Desktop.
However, on Windows 8.1 64-bit, Microsoft decided that IE desktop would run in 32-bit mode by default, as opposite to IE Metro that continues to run in 64-bit mode. There is a new option in the Internet Options window to enable 64-bit renderer processes for IE desktop. I advise you to enable it in order to improve security (memory mitigation technologies such as ASLR are harder to bypass in 64-bit mode).
Learn more about the compatibility changes in IE11 on Windows 8.1 here.
UPDATE 2012-12-22: I wrote this article initially in march 2012, shortly after the release of Windows 8 Consumer Preview. Back then, Microsoft hadn't talked much about about the Enhanced Protected Mode (EPM) in IE10, which is why I decided to write this article. At that time, Flash Player was not yet compatible with the EPM, but since the release of Windows 8 Release Preview (and then the final version), as I expected it, Adobe has created a version of Flash Player compatible with EPM.
When Windows Vista and Internet Explorer 7 were released in 2006, Microsoft introduced a security feature called "Protected Mode" (or Low Integrity Mode). Basically, it was a way to sandbox IE while preserving a rather good level of retrocompatibility with plugins.
In september 2011, during the BUILD conference, I was told that, in Windows 8, Internet Explorer 10 would be sandboxed in a new way that will greatly improve its security. So much that Microsoft expects Google Chrome to use the same sandbox in the future. However, in the Developer Preview of Windows 8 this sandbox was not yet enabled.
Since the release of Windows 8 Consumer Preview, it is now enabled by default on the Metro version of IE10 (but not on IE10 desktop)
How to enable it on IE10 desktop too
Open Internet Options, go to the Advanced tab, in the Security section, check the "Enable Enhanced Protected Mode" checkbox, then click OK and restart IE.
Why we need sandboxed web browsers
Assuming that it is impossible to detect and fix every security flaw in an application that contains millions of lines of code, a security sandbox reduces the severity of future 0day security flaws that could cause arbitrary code execution.
Most power users wrongly assume that an user is safe as long as he is not running as administrator (or root), but malwares running in a limited user account can do almost as much damage as those running as root: they can automatically start when you log in, capture your keystrokes, get the passwords saved in your web browser, send them to a remote server controled by a malicious person, alter your personal files, infect files on an usb key, launch attacks on your local network or send spam as part of a botnet. This is true on any OS, including Linux and OSX too.
In an unsandboxed browser, like Firefox or Opera, if the user visit a web page containing an exploit for an unpatched flaw in the browser (or a plugin like Flash Player or JAVA), malicious code will be executed with the same level of privilege as the browser. That is, if the user runs as a limited user account, a malware could be installed in the user profile and could be very harmful.
In a sandboxed browser, Like IE7 on Vista or Google Chrome, if an exploit is successful, the malicious code runs with the level of privilege provided by the sandbox : in the case of Protected Mode, that means the malware has no write access to the file system, no write access to the registry, and limited ability to interact with other windows on the user's desktop (it would not be able to listen for keystrokes in another application). At worst, it could steal data stored on the user profile, but it could not persist after a log off. Although not perfect, that is a huge improvement, and since there is no permanent infection, there is not need to clean up the mess.
The shortcomings of the "classic" Protected Mode
Unfortunately, it has been show that the classic Protected Mode is not restrictive enough, and hackers could exploit unrestricted features like interprocess communication to escape the sandbox. Microsoft can't patch that during the lifetime of Windows Vista/7, because that would cause current plugins to stop working.
In the meantime, Google Chrome's sandbox has become more secure since it improves protected mode by denying read access to the file system to the tabs processes. Chrome can do that because it runs plugins in an external unsandboxed process, which lowers the security since plugins are not sandboxed (except Flash Player which is partially sandboxed since Chrome 11, as it is on IE too)
Enters the "Enhanced Protected Mode" (EPM)
As IE10 Metro was marketed as a "no plugin" browser, it was the perfect candidate to implement a more restrictive sandbox.
Here is what it does:
As I said earlier, blocking read access to the file system and registry causes any plugin not compatible with EPM to stop working,
including Flash Player (update: Flash Player is now compatible with EPM), which is exactly why Microsoft didn't block read access in the original Protected Mode. Every Plugin need to be partially rewritten to account for these new restrictions. This could take a long time, or never happen at all.
Fortunately, if the user enable the Enhanced Protected Mode in IE10 desktop, he can benefit from the improved sandbox, and when he visits a web page which requires a plugin that is not compatible with EPM, IE asks him if he wants to Disable the Enhanced Protected Mode in the current tab and fallback to the classic protected mode in order to load any plugin the page may require (for the current tab only, and future tabs displaying pages hosted on the same domain).
Thanks to this fallback mechanism, trusted websites can display any content such as Silverlight content (but are still sandboxed with the classic sandbox), while untrusted sites are run in the more restrictive EPM sandbox even in the same browser window (thanks to the fact that IE runs each tab in a separate process since IE8, it can give each tab a different level of sandboxing).
Since Windows 8 Release Preview, Flash Player is shipping with Windows 8 (and even Windows RT). It is updated using Windows Update, and most important,
it is now compatible with EPM!
Even better, Microsoft decided to add Flash Player support to the Metro version of IE. Flash Player is the ONLY plugin allowed to run in Metro IE. Even Microsoft's own Silverlight didn't get this treatment (actually, Microsoft didn't even release an EPM-compatible version of Silverlight).
Also note that IE Desktop on Windows RT 8.0 is running with EPM disabled by default (only the old Protected Mode is enabled), exactly as on Windows 8.0 x86/x64.
I was first surprised Microsoft didn't use this oportunity to enable EPM by default,
because there is no legacy plugins to support on Windows RT, since it's a brand new platform that can't run existing x86 plugins and software anyway.
Then, after enabling it, I saw that a few plugins created by the Office team were not compatible with EPM, and were disabled at startup,
which explains why Microsoft hasn't enabled EPM by default. I still advise you to enable EPM if you care about security, as you should not miss these plugins anyway.
I hope at some point the Office team will release an EPM compatible update of these plugins, so that Microsoft can enable EPM by default in the next revision of Windows RT (which should be RTM around august 2013, at the same time as Windows 8.1).