Microsoft revealed a new security feature in May coming to Windows 11, which would allow Windows applications to run in isolated sandbox environments for enhanced security. Now we know a little more about how that will work.
Microsoft has kicked off the public preview for “Win32 app isolation,” which is intended to provide a layer of protection against zero-day vulnerabilities and other potential security features. Microsoft explained in a blog post, “Win32 app isolation achieves its goal of limiting impact (in the event apps are compromised) by running apps with low privilege, which requires a multi-step attack to break out of the container. Attackers must target a specific capability or vulnerability, compared to having broad access and since the attack must be directed at a specific vulnerability, mitigation patches can be quickly applied, reducing the shelf life of the attack.”
App isolation is a lot like Snap or Flatpak applications on desktop Linux, and to some extent, the default permissions structure on macOS. Applications can start off with some permissions when they are installed, and they can request more as needed. Access to the camera, microphone, location, images, files, and folders is blocked without the user’s permission. Isolated apps also have limited access to the Windows Registry. Apps can request permission to specific files and folders, and if the user grants access, the files are provided through a sandboxed file system called the Windows Brokering File System (BFS).
That all sounds great, since there are many apps that don’t need full access to your PC, and blocking them off from unnecessary permissions would improve both privacy and security. However, Microsoft made it clear that this won’t be automatically enabled for all software. This is an opt-in measure that requires some modification from the application developer — unlike apps on macOS, which force a permissions model for file access and other functions for all software.
Microsoft has been building better indicators for applications using sensitive data, like the camera and VPN status icons on Windows 11, but it would have been nice to see app isolation enabled across the board. That might just not be possible with the current structure of Windows — especially when maintaining compatibility with decades-old software is a requirement for corporate customers.
Source: Windows Blog
