Windows 11 Will Sandbox Your Desktop Apps for More Security

Written by

Windows 11 logo

Windows doesn’t have the same restricted security model as iPhones or Android devices, allowing most software to access any files, modify system settings, or use connected hardware. That might finally be changing.

Microsoft just announced many features and changes coming to Windows 11, including a Windows Copilot AI built on the same technology as Bing Chat and ChatGPT. The company also revealed a new security feature that will isolate Windows applications in a sandbox environment, preventing them from accessing data and settings that aren’t necessary.

Microsoft said in a blog post, “In public preview tomorrow, we are launching the ability to isolate Win32 applications for both consumer and commercial audiences. Developers can significantly reduce the risk of security breaches by using new isolation technologies. Running Win32 apps in isolation helps prevent apps from having unexpected/unauthorized access to critical internal Windows subsystems, thereby minimizing the damage if an app is compromised.”

Running applications in a sandboxed environment where each permission must be granted is now common in web apps, iPhone and Android applications, and macOS (to an extent). Microsoft’s initial solution to this problem was the Universal Windows Platform, or UWP, a new application format designed for Windows 8 and Windows Phone (later Windows Mobile) with more robust permissions. That was a massive disaster for many reasons, and Microsoft later merged UWP features and APIs into the regular Windows APIs (Win32) with Project Reunion. Windows software can still run relatively unrestricted on PCs, though, unlike original UWP apps.

We don’t know yet if the sandbox feature will be something the user can control, or if it will be an opt-in feature for applications. For example, the ability to run any application in a sandbox would be great — I can think of a few apps on my PC that shouldn’t need access to my entire file system.

Even if the sandbox feature is restricted to software built for it, the feature could still be a much-needed improvement for Windows. Web browsers could use it for stronger sandboxing, as a safeguard against future zero-day vulnerabilities. Some PC games use anti-cheat that runs at the kernel level in Windows, which is a significant security risk, and perhaps the built-in Windows feature could be a viable alternative.

We’ll have to wait to find out how sandboxing works, but any movement is great to see.

Source: Windows Blog

Article Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *