Google Chrome for Windows switched to using the AppContainer sandbox

The latest version of Google Chrome supports using the AppContainer sandbox for its tabs on Windows 8+. A similar method of isolating browser tab processes from performing the destructive functions of exploits and malware is also used in MS Internet Explorer 11 (EPM) and MS Edge on Windows 10 (by default). Previously, Chrome relied on the use of low Integrity Level (Low IL), prohibited groups in the access token, and also a special restricted task object to implement the sandbox. Low IL has now been replaced by AppContainer.



It can be argued that this time Google Chrome bypassed the MS IE11 web browser, one of its main competitors, in its security capabilities. Unlike Chrome, IE11 uses 64-bit processes for tabs and the AppContainer sandbox only if special security mechanisms are enabled in the settings (disabled by default), which we have already written many times before in the blog. The Chrome web browser, like the new MS Edge, uses these features by default.
')
Below is the arsenal of security / anti-exploit features for Google Chrome, which are active by default.

• 64-bit processes for tabs ( 64-bit version of web browser ).
• Sandbox based on Low IL, deny SID and restricted job object.
• High Entropy ASLR support for web browser modules (Windows 8+).
• Disabling the use of win32k.sys for sandboxed processes tabs (perhaps, so far, only for Chrome 42+ beta).
• Special security mechanisms for Flash Player (vector.uint exploit hardening).
• AppContainer sandbox (Windows 8+).

Fig. Launched tabs in the latest browser version.


be secure.