SoylentNews is people
SoylentNews
I just saw this story at Ars Technica where Microsoft has announced that Windows 10 will run its Edge browser in a virtual machine:
ATLANTA—Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging.
Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network.
The Edge browser already creates a secure sandbox for its processes, a technique that tries to limit the damage that can be done when malicious code runs within the browser. The sandbox has limited access to the rest of the system and its data, so successful exploits need to break free from the sandbox's constraints. Often they do this by attacking the operating system itself, using operating system flaws to elevate their privileges.
Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it—just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system.
[...] This virtualization also likely comes at some performance cost, although Microsoft is not saying just what that performance cost is right now.
[...] Application Guard will become available later this year in Insider builds of Windows, hitting a stable version some time in 2017.
(Score: 2) by schad on Tuesday September 27 2016, @04:32PM
This is the way a lot of people think, though, and unfortunately it's not just Microsoft. How do you copy a file from your laptop to your desktop? Copy it to Dropbox on your laptop, and then from Dropbox to your desktop. Even if you're running an OS and/or environment that would make a direct copy easy, most people don't know how to do it and don't care to learn. The Dropbox Method works fine for them. It has the added advantage of working exactly the same no matter what devices you're using.
Seriously, though, while the implementation would be really dumb, the idea is not a bad one. You don't want to allow direct filesystem access because filesystems are complex and therefore hard to secure. Network filesystems like CIFS and NFS are even worse. Simpler is better, and most of the Dropbox-alikes either use WebDAV or something very similar. Personally, I think a very simple HTTP PUT-only server would be even better: don't include features that your specific use case doesn't need. But the general idea is sound.
(Score: 2) by janrinok on Tuesday September 27 2016, @04:38PM
Er, ssh, rsync, and a multitude of other options. Both computers are on networks (they are both accessing the Internet) - why go through Dropbox?
(Score: 2, Disagree) by janrinok on Tuesday September 27 2016, @04:40PM
OK, after re-reading I can see what you are saying, but if people can't be bothered to learn how to use their computer then they probably aren't be concerned about giving all their data to Microsoft.
(Score: 2) by Hyperturtle on Tuesday September 27 2016, @05:48PM
I agree with you 100%, at least I did, until I tried to force various non-PC products to sync with my own server(s). This is not an easy task in many cases, and the means to do so and effort required is not the same across the gamut of consumer options.
It appears that the industry has designed most consumer devices to not allow for that. If you have to demand a consumer to root their device, it likely is not going to work.
Filesharing locally used to be drag-and-drop (or mounting a volume, but thems hackerspeak) but it can be very difficult to get a number of non-PC devices to even recognize there is a local network to do something with, let alone find a file share to drag-and-drop from.
(Score: 2) by janrinok on Tuesday September 27 2016, @06:05PM
Fair enough, my bad, I assumed that you were only concerned with lappies and PCs. Not owning any other mobile devices, I don't have a problem with transferring data to and from them. No smart phone or whatever else is the latest 'must-have' device. And why don't I own one? Because they don't let me do what I want to do with my device.
I love it when local companies want my mobile/cell number, and some websites wont let me join without telling them what my phone number, facebook, twitter, or some other ID is. I'm definitely getting old .....
(Score: 3, Insightful) by Hyperturtle on Tuesday September 27 2016, @09:22PM
You should pick up a $30 tablet, so that you can see what happens on them (and what you are missing from a technical perspective).
I believe Sun Tzu had written that one has to know one's enemy in order to best defeat them, or at least be aware of the dangers they present even if your only plan is to hightail it and avoid them at all costs.
(Score: 2) by janrinok on Wednesday September 28 2016, @06:33AM
It was, and I have.