Internet Explorer 10 contains a new security feature called "enhanced protected mode" (EPM) that Windows 8 beta testers may soon encounter.
EPM is a browser defense feature that follows in the tradition of Microsoft's "protected mode," which was first introduced as part of IE 7 running on Windows Vista, according to an IE blog post by Andy Ziegler, senior program manager of Internet Explorer. Protected mode was designed to prevent attackers from modifying a user's settings or installing malware. EPM enhances these capabilities, according to Ziegler, and it adds a new security sandbox called AppContainer.
The AppContainer Sandbox
AppContainer is a feature mostly designed to support the "Metro-style" version of apps and IE 10. AppContainer blocks read and write access to Windows systems, explained Eric Law, a program manager for Internet Explorer, in a blog post. He added that all Metro-style apps running on Windows 8 will run in AppContainer, as well as all tabs running in IE 10 with EPM turned on. He described AppContainer as a "tight sandbox" because it "does not specify internetClientServer, privateNetworkClientServer, enterpriseAuthentication, or any of the *Library capabilities."
AppContainer's internetClientServer restriction prevents browser add-ons from allowing inbound connections or remote connections. In addition AppContainer also doesn't allow Metro-style apps to connect with a locally installed IIS or Apache server, as might be done for Web site testing purposes. Law, who developed the Fiddler Web debugging program, explained that Fiddler will get blocked by AppContainer because Fiddler runs as a proxy server on local computers. He provided links to a workaround. Finally, the restriction on privateNetworkClientServer access is designed to ward off Internet port scanning and cross-site-request forgery attacks.
Cookies don't get shared between Metro-style apps because of AppContainer's read and write restrictions. Law noted an example where this feature would be useful, noting that if someone uses a banking Web app, "the banking app's cache, cookies, and credentials aren't available to be stolen from pages you browse in Metro-style Internet Explorer, even if a vulnerability was discovered that allowed an attacker to run arbitrary native code in the AppContainer."
Windows Versions and IE 10's EPM
Enhanced protected mode is pretty much a dead-end feature when run with IE 10 on Windows 7 or Windows Server 2008 R2. It doesn't add security protections per se, except for enabling 64-bit content processes in the browser's tabs, according to Law. Microsoft hasn't really talked too much about running IE 10 on Windows 7, but it is possible to do, according to Microsoft's "Windows Internet Explorer 10 Consumer Preview Guide for Developers."
"When it's released, Internet Explorer 10 will be available for Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 8 Beta," the guide states.
So, while EPM is really designed as a security feature for Windows 8 users, it also works differently, depending on which IE 10 browser is used. Windows 8 comes with essentially two IE 10 browsers, using different user interfaces. The Metro-style mode is tile-based, runs full screen and is optimized for touch, while the so-called "desktop" mode has a more classic chromed browser look.
One example of the difference between these two browser modes in tapping EPM is in bit support. Microsoft's browsers run "manager processes" and "content processes." For Metro-style IE 10, those processes run at 64-bit by default. However, for the desktop IE 10 experience on Windows 8, the content processes run at 32-bit by default. Users can change that default to 64-bit by enabling EPM for the desktop version of the browser, provided that the underlying Windows operating system also is 64 bit.
The one big drawback right now to enabling EPM on the desktop mode of IE 10 is that browser add-ons, such as Adobe Flash, aren't yet designed to work with EPM.
"Most users expect add-ons to work in Desktop IE, but very few add-ons are AppContainer-compatible today," Law explained. "If you enable EPM in the desktop and have a BHO [browser helper object] or Toolbar that isn't EPM compatible, the add-on will be disabled."
The desktop IE 10 also will encounter ActiveX controls at Web sites that don't work with EPM. However, rather disabling this control, a dialog box will pop up asking the users whether they want to disable EPM for that particular site.
Law listed a few other details for add-ons to be compatible with EPM. For instance, they have to be compatible with AppContainer too, and they have to be available in both 32-bit and 64-bit versions.
Microsoft officials have been saying that they think people will prefer browsing the Web using the Metro-style version of IE 10. The Metro-style IE 10 may be problematic for some people with multiple "favorites" or bookmarked sites to track. However, at this point, Microsoft does appear to have mapped out the EPM security functions better for the Metro-style version of IE 10 compared with the desktop version.