Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.

Re:Can we use a VM for all programs?

[somenickname]

You could do this on linux if you wanted. Using a tool like firejail, you can run all your software in lightweight sandboxes (linux namespaces). It comes with custom profiles for 100+ desktop/server applications and it's easy to write more. I wouldn't recommend converting all of /usr/bin to run under firejail as this would certainly cause issues but, I run all my desktop applications with it and it's worked well.

This is a good thing

[Gumbercules!!]

I know this is Slashdot and it's essentially illegal to say "good" and "Microsoft" in the same sentence but, "good". I don't plan on using Edge any time soon but I still applaud any security based efforts made by mainstream OS vendors, that can help improve things. I know this won't stop idiots downloading "movie.torrent.exe" and running it but at least it will significantly cut down on drive by downloads of malware through hacked ad servers and out of date Flash. That's got to be a good thing.