Windows 10: Improved Windows Security? Microsoft launches Win32 app isolation

GHacks · Jun 28, 2023

Microsoft launched a preview of a new security feature for Windows earlier this month that it calls Win32 app isolation. The feature uses containers and Microsoft claims that it adds security protections to Windows to help protect against vulnerabilities of the application that uses Win32 app isolation.

In one sentence: Win32 App Isolation needs to be implemented by developers to give users more control and limit the capabilities of exploits.

Microsoft notes on the official Windows Developer blog that a main focus of Win32 app isolation is zero-day attacks.

Microsoft's Windows operating system has a number of tools and security features to prevent or limit malware attacks. From the User Account Control, introduced in Windows Vista, to modern features such as Windows Sandbox or Microsoft Defender Application Guard.

Windows Sandbox, for instance, is an excellent tool for Windows 10 and 11 systems to run files in an isolated environment. Windows Sandbox supports configuration files, which allow administrators to customize the environment.

Win32 App Isolation

Microsoft wants Win32 App Isolation to become the default isolation standard on Windows clients. It works well together with other security features, such as Smart App Control, according to Microsoft. Smart App Control is limited to new Windows 11 systems, however.

Win32 applications, classic programs for Windows, that run with user rights have access to all user data currently. Microsoft notes that this is a big risk, especially since users are not informed about access or get a say in the matter.

The company writes: "Consequently, there is a risk of unauthorized access to the user’s privacy data by malicious actors without their knowledge or consent."

Microsoft lists three key objectives of Win32 App Isolation:

Make it significantly harder for attackers to cause damage on Windows systems.

Provide a seamless user experience for isolated apps.

Reduce developer effort to onboard apps.

When an application utilizes app isolation on Windows, it can't access a user's private data without permission anymore. While it may access some system files, such as .NET libraries or protected Registry keys, it needs to prompt users when it wants to access images, documents, the location, microphone or files.

Microsoft is aware that users could be tricked into granting access by malicious apps and it implemented preventive measures into the technology. Developers need to include support for prompting users to access private data in their application. If they don't, they can't be exploited to ask users for permission.

File access, furthermore, is limited to specific files that the user selects. These do not necessarily require prompts, as selecting a file is automatically seen as granting permission to access that particular file.

Microsoft explains: "When the user grants consent to a specific file for the isolated application, the isolated application interfaces with Windows Brokering File System (BFS) and grants access to the files via a mini filter driver. BFS simply opens the file and serves as the interface between the isolated application and BFS".

Win32 App Isolation supports a learn mode, which logs the additional capabilities required for access, but does not prevent access.

Closing Words

It is doubtful that Win32 App Isolation will get a lot of traction in the coming months and even years. The biggest hurdle is that developers need to implement it in their applications. While some may do, especially those with a focus on privacy, security or important data, most will likely ignore the feature.

There is also the chance that Win32 App Isolation prompts may annoy users, if they see too many prompts for data access throughout their workday.

Last but not least, Win32 App Isolation will likely be exclusive to Windows 11 and future versions of Windows.

Taken together, there is a good chance that some Windows programs will implement Win32 App Isolation, but the vast majority will likely ignore the feature.

Now You: what is your take on the new feature?

Thank you for being a Ghacks reader. The post Improved Windows Security? Microsoft launches Win32 app isolation appeared first on gHacks Technology News.

read more...

R-T-B · Jun 28, 2023

Microsoft Adds Ability to Block Win32 Apps from Install on Windows 10

If you can get buy with everything you need through the Windows Store, enabling this security feature will disable 99.9% of viruses out there for Windows.

Apps can do harmful things but if they do, Microsoft reserves the right to remove them from the store. In this regard, it makes your desktop as secure as, for example, an iPhone.

It won't work for most people which is why they have it disabled by default. I can certainly see why they're making it an option (it's cheap to add and it ramps up the security a near infinite fold).

I already know someone that literally operates off Microsoft Edge and this would be perfect for her because it shuts out most harmful things found on the internet.
Click to expand...

Yeah, if you can't tell by the editorial, I know a few who would benefit too.

I'm just concerned about the fact its possibly a step towards putting Win32 in a coffin. Albeit a small one. But we all start somewhere.

Right now, just a discussion starter more than a serious issue.

PS: I'm very tired today, so this is a bit more of a "wild and loose" editorial than my usual.

Hossein Almet · Jun 28, 2023

Microsoft Adds Ability to Block Win32 Apps from Install on Windows 10

If you can get by with everything you need through the Windows Store, enabling this security feature will disable 99.9% of viruses out there for Windows.

Apps can do harmful things but if they do, Microsoft reserves the right to remove them from the store. In this regard, it makes your desktop as secure as, for example, an iPhone.

It won't work for most people which is why they have it disabled by default. I can certainly see why they're making it an option (it's cheap to add and it ramps up the security a near infinite fold).

I already know someone that literally operates off Microsoft Edge and this would be perfect for her because it shuts out most harmful things found on the internet.

Edit: Two words: group policy. This is something enterprise customers want so Microsoft is giving it to them. Group policy has a lot of crazy restrictive settings in it but most users are completely clueless to it. I don't think it is anything to get worked up about.

Win32 is literally Microsoft's bread and butter. It's not going away any time soon. To disable it is to forbid decades worth of software from running.
Click to expand...

What about the apps from Windows Store that got the bugs? What more, Windows seem to be oblivious to them.

Brink · Jun 28, 2023

Microsoft wants to close the UWP and Win32 divide with Windows Apps

Is Microsoft's UWP going away? Is the Microsoft Store on its way out? Microsoft Corporate VP Kevin Gallo explains the latest twists in Microsoft's long and winding Windows developer platform strategy.

For months, many pundits, partners and customers have wondered aloud whether Microsoft's Universal Windows Platform (UWP) has a future. Officially, the story is UWP is alive and well. But the Win32 platform lives on and seems to be back on Microsoft's radar screen. So what's the real story?

I had a chance this week in Seattle to ask Kevin Gallo, Corporate Vice President of the Windows Developer Platform, for his take on what's going on with the Windows developer platform.

When Microsoft launched UWP in 2015, officials promised that the platform would provide apps with better performance and security because they'd be distributable and updatable from the Microsoft Store. Developers would be able to use a common set of programming interfaces across Windows 10, Windows Phone, HoloLens and more, officials said, when selling the UWP vision. The downside: UWP apps would work on Windows 10-based devices only. Developers would have to do work to get their apps to be UWP/Store-ready. And Win32 apps wouldn't get UWP features like touch and inking.

Arguably, Gallo told me, "we shouldn't have gone that way," meaning creating this schism. But Microsoft execs -- including Gallo -- continue to maintain that UWP is not dead.

Over the past year or so, Microsoft has been trying to undo some of the effects of what Gallo called the "massive divide" between Win32 and UWP by adding "modern desktop" elements to Win32 apps.

"By the time we are done, everything will just be called 'Windows apps,'" Gallo told me. "We're not quite there yet." But the ultimate idea is to make "every platform feature available to every developer."
Click to expand...

Read more:

Microsoft wants to close the UWP, Win32 divide with 'Windows Apps' | ZDNet

Microsoft Confirms UWP is Not the Future of Windows Apps - Thurrott.com

Windows 10: Improved Windows Security? Microsoft launches Win32 app isolation

Improved Windows Security? Microsoft launches Win32 app isolation

Improved Windows Security? Microsoft launches Win32 app isolation

Improved Windows Security? Microsoft launches Win32 app isolation

Improved Windows Security? Microsoft launches Win32 app isolation - Similar Threads - Improved Security Microsoft

Microsoft is phasing out VBScript in Windows to improve security

Core Isolation is off in Microsoft Security

Microsoft improves App Management in the Windows 11 Settings app

Can win32 app be published in Microsoft store?

Alien Isolation Game not launching

Win32 apps in the Microsoft Store?

Windows Defender or Security denying launch of app?

Google Chrome Improving Site Isolation for Stronger Browser Security

Windows 10 19H1 to come with Windows Security app improvements