Windows 7 “XP Mode” – built-in, virtualized sandbox?
One of the new features that will be introduced in certain skews of Windows 7 is an application knows as XP Mode, a virtualized install of (generally) Windows XP that allows users to run Windows XP apps side by side with programs running on Windows 7. This seemingly opens up a whole new world of potential when it comes to using virtualization as security. Having a program running streamline with your main operating system while being completely isolated from the system itself would be quite a boon. Unfortunately, however, Microsoft may come through and chose convenience over security and leave a few holes open.
Essentially, XP Mode runs an on-demand virtualization of a Windows XP install using Microsoft’s Virtual PC allowing programs that would normally require Windows XP to run on a Windows 7 Machine. The name, however, is deceiving as XP Mode will let you run any version of Windows including Vista and 7. Compared to a normal virtualization, XP mode is different in that the VM runs quietly in the background and the virtualized programs can interact seamlessly with those running on the native operating system.
Microsoft’s goal with XP Mode is to reduce bulk in Windows 7 by removing legacy code required for old programs to run.
For the full rundown on XP Mode, check out the following link: http://community.winsupersite.com/blogs/paul/archive/2009/04/24/secret-no-more-revealing-virtual-windows-xp-for-windows-7.aspx
Recently, on an episode of Windows Weekly, Leo asked, “Why would someone want to run a version of Windows besides XP in XP Mode?” and I feel that “Security” would be a reasonable response.
There are currently products on the market that provide similar, in-line virtualization but with a security orientation. One common example is SandboxIE, an application initially designed to isolate your web browser from the rest of your system that has been now expanded to be able to sandbox any program you would run.
It is effectively able to sandbox any program by creating copies of files that the program attempts to modify and giving the user the ability to scrap virtualizations once things seem to be going wrong. It is a very effective tool when used in conjunction with web browsers and e-mail clients.
One thing that SandboxIE does NOT do, however, is protect information on your system from a privacy perspective. It allows any application running within its sandbox full read access as it would normally have; the only restriction is when applications attempt to write data.
For more information on SandboxIE, visit the creator’s site: http://www.sandboxie.com
Now, with this framework laid before us, there aren’t many lines to draw for the bigger picture to come together. Having a version of Windows 7 installed via XP Mode on your main install of Windows 7 would allow you to run your web browser, mail application or any other program in a virtualized enviroment, cutting them off from the rest of your system.
The security provided from running an application in a fully virtualized environment as opposed to SandboxIE’s methods is somewhat superior as (like we mentioned before) the programs running in the virtualization have no access whatsoever to your primary install. And now, since these virtualized apps are appearing right in the main install of 7’s start menu, the inconvenience stigma that was always attached to virtualization in the past is moot.
Hopefully, as long as Microsoft delivers as promised, anyone who will be able to install XP Mode will also have a nice built-in security feature that they may not recognize right off the bat. It would be great if Microsoft would recognize this as well and rename XP Mode to something that more accurately represent the capabilities of the feature.
The potential downside to this whole thought is that Microsoft may (as they have in the past) sacrifice security for ease of usability. From the perspective of a user trying to run legacy XP code on a Windows 7 machine, the ability of applications running within the VM to read the native harddrive would be more convenient, but basically negate any security bonus.
