Microsoft Edge sandbox
Is this new?
Yes and no, as stated above this sandbox technology is a stronger version of what existed before. Since around 2008/Vista we have had protected mode, this revolutionary feature in IE7 ran some web content inside a sandboxed environment. However, many improvements have been made since then and this article will cover some of the latest and greatest achievements in this space.
So, what is new?
Edge is taking the security to a completely different level, it is enforcing these restrictions all the time instead of making it optional. Microsoft Edge also cut support for 3rd party binary extensions, so these no longer run outside of the Edge containers.
Additionally, Microsoft Edge is a Universal Windows app, which means that as with UWP apps all the associated processes will have app sandboxes. This is important for a few reasons, but the main benefit is we can be surer that the browser is separated from critical apps and processes.
Instead of a single, or only a few containers, edge now separates its operations into 6 containers:
- Intranet: Hosts content from Intranet sites.
- Extensions: Specifically for the new extensions in Edge.
- Internet: Internet sites.
- Flash: Edge now separates flash content from everything else.
- Service UI: Hosts some of the special webpages for Edge, like the about page.
- Manager container: For general browser features, like the refresh button, etc.
The idea here is that having everything separated will reduce the overall attack surface of the browser. With everything in separate containers, it should be harder for attackers to escape the browser and affect the operating system.
Side Note: In the Fall creators update Microsoft Edge will include a feature called “Windows defender application guard”. This takes the “sandbox” to a whole separate level, and is beyond what this article covers. I have written about this new feature here: