Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday September 27 2016, @12:33PM   Printer-friendly
from the harder,-stronger,-slower dept.

I just saw this story at Ars Technica where Microsoft has announced that Windows 10 will run its Edge browser in a virtual machine:

ATLANTA—Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging.

Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network.

The Edge browser already creates a secure sandbox for its processes, a technique that tries to limit the damage that can be done when malicious code runs within the browser. The sandbox has limited access to the rest of the system and its data, so successful exploits need to break free from the sandbox's constraints. Often they do this by attacking the operating system itself, using operating system flaws to elevate their privileges.

Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it—just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system.

[...] This virtualization also likely comes at some performance cost, although Microsoft is not saying just what that performance cost is right now.

[...] Application Guard will become available later this year in Insider builds of Windows, hitting a stable version some time in 2017.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by janrinok on Tuesday September 27 2016, @04:34PM

    by janrinok (52) Subscriber Badge on Tuesday September 27 2016, @04:34PM (#407004) Journal

    Microsoft Windows... is starting to suck

    FTFY. Although saying that Windows is starting to suck is not very accurate, perhaps it should be 'suck more'.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 4, Interesting) by Hyperturtle on Tuesday September 27 2016, @05:55PM

    by Hyperturtle (2824) on Tuesday September 27 2016, @05:55PM (#407048)

    Yes! Just when you thought MS couldn't make Windows any worse, for your security you have to store your downloads on their cataloged system. You might be interested in a visit from law enforcement after that accidental CRC collision is matched in their database for discontented citizen related materials, when really it was a photo of puppies, but their replication methods overwrote your download with the official (dis)approved file matching the same hash.

    I mean its not like it hasn't happened before. http://www.extremetech.com/computing/179495-how-dropbox-knows-youre-a-dirty-pirate-and-why-you-shouldnt-use-cloud-storage-to-share-copyrighted-files [extremetech.com]

    You need not even store your archival backups there (or whatever), because you can be just as accused if you have the wrong dirty pictures show up as the result of a CRC hash. Or your files can get overwritten by someone else's innocent stuff.

    It's not going to happen often, but if hundreds of millions of Windows 10 PCs start doing this for even temporary files downloaded and "discarded" soon afterwards, it is bound to happen with a much greater regularity than predicted via natural occurance..

    http://preshing.com/20110504/hash-collision-probabilities/ [preshing.com]

  • (Score: 2) by edIII on Tuesday September 27 2016, @10:56PM

    by edIII (791) on Tuesday September 27 2016, @10:56PM (#407119)

    perhaps it should be 'suck more'.

    I believe that Microsoft has finally metamorphosed into Mega Maid [youtu.be].

    --
    Technically, lunchtime is at any moment. It's just a wave function.