Windows 10 will soon run Edge in a virtual machine to keep you safe

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378


Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging.

Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network.

The Edge browser already creates a secure sandbox for its processes, a technique that tries to limit the damage that can be done when malicious code runs within the browser. The sandbox has limited access to the rest of the system and its data, so successful exploits need to break free from the sandbox's constraints. Often they do this by attacking the operating system itself, using operating system flaws to elevate their privileges.


Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it—just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system.

In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.

Microsoft recognizes that this feature would be desirable on consumer machines, too, and not just for Edge. Other browsers such as Chrome would also benefit from this kind of protection. So too would Office's "Protected Mode" that's used for opening documents from untrusted sources.

However, doing this has certain complexities. Currently, virtualized sites can't store persistent cookies, for example, because virtual machines get destroyed when the browser is closed. This may be acceptable for a locked-down enterprise environment, but it isn't a good fit for consumers.

There are also compatibility constraints. VBS installs the Hyper-V hypervisor. This requires a processor with hardware virtualization support, and it also requires I/O virtualization (such as Intel's VT-d) to protect against certain known attacks. This means that some systems in the wild won't support it. There are also software concerns; only one hypervisor can be installed at a time, which means that a machine that's running Hyper-V cannot also run VMware Workstation or Virtual Box, say, or software that uses virtualization behind the scenes, such as the Bluestacks Android-on-Windows software.

Read more: http://arstechnica.com/information-...n-edge-in-a-virtual-machine-to-keep-you-safe/
 
H

hjlbx

"Application Guard will also only be available to users of Windows 10 Enterprise"

Typical M$... Enterprise clients get all the really valuable security and usability features and home users get forced updates and are guinea pigs...
 
Last edited by a moderator:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
This feature is irrelevant for most users as it's only for those with Windows 10 Enterprise version, in addition to the hardware requirements.

So for those excited, be sure you're running the Enterprise version before complaining about: what, when, where, and how.
 
H

hjlbx

Im puzzled on how this Edge in VM works compared with Edge in Appcontainer? I mean aren't both work in similar purposes?

AppContainer is not virtulization; VM is virtualization.

That is difference...

To give you example that is easy to understand, but not entirely accurate:

AppContainer is similar to running browser in ReHIPS isolated enviornment.

VM is similar to running browser in Sandboxie or Shadow Defender.

Make sense ?
 
Last edited by a moderator:
H

hjlbx

I am not positive but I wouldn't doubt it in the Windows 10 Education though. Education is basically Enterprise without Cortona.

No mention of Education version by Microsoft; only Enterprise is specified. However, it could just be an omission made by the Microsoft PR\marketing departments. Have to wait and see...

However, Windows Defender Application Control will not be pushed to W10 Home users. A chump move...
 
  • Like
Reactions: Der.Reisende

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes.

Clearly from that context, the feature may available on Enterprise to related editions.

Hyper-V is applicable on Pro up to the other editions where you can test programs on isolated environment; no matter how technical is the whitepaper but similar on using Sandbox or using appcontainer protection made by some AV for secure transactions.

Not a bad idea but of course only few organization to be benefit.
 
  • Like
Reactions: The Kid and XhenEd

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top