Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe (arstechnica.com)

Posted by BeauHD on from the safety-first dept.

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.

5 of 172 comments (clear)

  1. Micro$slop requires virtualization? Really? by Anonymous Coward · · Score: 0, Insightful

    Sigh. The browser is so bad that it requires sandboxing/virtualization? I'm "impressed"

  2. Re:Micro$slop requires virtualization? Really? by fustakrakich · · Score: 5, Insightful

    All applications should be sandboxed. The kernel should be sandboxed.

    --
    “He’s not deformed, he’s just drunk!”
  3. Re:Micro$slop requires virtualization? Really? by Anonymous Coward · · Score: 1, Insightful

    And if they can't program the app properly, what makes anyone think their hypervisor is going to be any better?

  4. OS / Browser by hunter44102 · · Score: 3, Insightful

    remember the days Microsoft said they cannot separate the browser. now they are forced to from a security standpoint

  5. Re:A dictionary is not just for attacks by Anonymous Coward · · Score: 2, Insightful

    Solving with brute force IS a way to decrypt.

    Except that in this case, it's not.

    Due to hash collisions, you do not know if the brute force sollution is the original password.

    It's the pigeonhole principle.