Advice Request UWP browsers

[notabot]

I was wondering what extra isolation do UWP browsers on the windows store have to offer from a security perspective.

Does it eg make sense to do generic browsing ( which is the most likely means to get hit by exploits or malware ) with an UWP browser and use a non UWP browser exclusively for webmail, financials, online shopping.

 

[509322]

I was wondering what extra isolation do UWP browsers on the windows store have to offer from a security perspective.

Does it eg make sense to do generic browsing ( which is the most likely means to get hit by exploits or malware ) with an UWP browser and use a non UWP browser exclusively for webmail, financials, online shopping.

AppContainer in Edge and sandboxes in other browsers are essentially equivalent. It doesn't make any sense to separate web activities according to the browser being used.

 

[notabot]

AppContainer in Edge and sandboxes in other browsers are essentially equivalent. It doesn't make any sense to separate web activities according to the browser being used.

I could be wrong but my understanding is that what you say is slightly less safe due to leaving out the possibility of process injections ( after ie the browser has been compromised by an exploit during “generic” browsing )

UWP status should prevent it from editing registry keys and prevent it seeing the process table ( blocking process injections to other apps ) add to this a potential folder access restriction policy and it’s effectively a sandbox.

My understanding is that even UWP apps can see that there are processes that started from the same UWP binary - so injection can happen but only between processes from the same app. By segregating generic browsing and online shopping/finance activities between separate browsers, even process injections shouldn’t happen due to exploits during “generic” browsing.

On the other hand wouldn’t using eg edge for everything still allow process injections to the shopping tab process ?

 

[Local Host]

UWP APPs are overall more secure to your System, but most Browsers nowadays run in a Sandbox anyway.

 

[509322]

I could be wrong but my understanding is that what you say is slightly less safe due to leaving out the possibility of process injections ( after ie the browser has been compromised by an exploit during “generic” browsing )

UWP status should prevent it from editing registry keys and prevent it seeing the process table ( blocking process injections to other apps ) add to this a potential folder access restriction policy and it’s effectively a sandbox.

My understanding is that even UWP apps can see that there are processes that started from the same UWP binary - so injection can happen but only between processes from the same app. By segregating generic browsing and online shopping/finance activities between separate browsers, even process injections shouldn’t happen due to exploits during “generic” browsing.

On the other hand wouldn’t using eg edge for everything still allow process injections to the shopping tab process ?

There have been documented cases where the exploit has broken out of the AppContainer.

Like I said, both types of browsers are essentially equivalent in terms of security.

UWP does not provide greater security than other browsers.

Actually, Chrome has a whole lot fewer CVEs than Edge. The ratio is probably on the order of 1:10. Check for yourself.

 

[notabot]

There have been documented cases where the exploit has broken out of the AppContainer.

Like I said, both types of browsers are essentially equivalent in terms of security.

UWP does not provide greater security than other browsers.

Actually, Chrome has a whole lot fewer CVEs than Edge. The ratio is probably on the order of 1:10. Check for yourself.

AppContainer may indeed be broken like any other process segregation technique.

Excluding this event though from the threat vector (as it’s a rare one), I’d expect using an UWP browser for generic browsing to be safer as it prevents one type of attack (injection to the other browser)

Chrome can be used for ie online shopping/financials and the UWP browser for general surfing , with UWP preventing injections to Chrome - while I guess chrome processes see the existence of other chrome processes ( else eg addons wouldn’t work ) and could thus use injection

 

[509322]

AppContainer may indeed be broken like any other process segregation technique.

Excluding this event though from the threat vector (as it’s a rare one), I’d expect using an UWP browser for generic browsing to be safer as it prevents one type of attack (injection to the other browser)

Chrome can be used for ie online shopping/financials and the UWP browser for general surfing , with UWP preventing injections to Chrome - while I guess chrome processes see the existence of other chrome processes ( else eg addons wouldn’t work ) and could thus use injection

If you wish, you can enable Chrome AppContainer. There is a flag for it.

 

[notabot]

If you wish, you can enable Chrome AppContainer. There is a flag for it.

Thanks for this but won’t chrome processes still see other Chrome processes ( but not non-Chrome processes) with AppContainer flag set to true?

 

[509322]

Thanks for this but won’t chrome processes still see other Chrome processes ( but not non-Chrome processes) with AppContainer flag set to true?

If I recall correctly Google states each tab runs isolated.

 

[Deleted member 178]

I use only one browser, the safest one, for everything, which is Chrome at the moment. (note that I run it in a 3rd party sandbox software, which is ReHips or Sandboxie)

The few times I used Edge is when my tweaked Chrome prevented a site to be displayed properly.

 

[notabot]

It’s separate processes- I think they see each other though in the process table

If I recall correctly Google states each tab runs isolated.

Each tab is a separate process but I think each chrome process does see the full process table