I just saw this story at Ars Technica where Microsoft has announced that Windows 10 will run its Edge browser in a virtual machine:
ATLANTA—Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging.
Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network.
The Edge browser already creates a secure sandbox for its processes, a technique that tries to limit the damage that can be done when malicious code runs within the browser. The sandbox has limited access to the rest of the system and its data, so successful exploits need to break free from the sandbox's constraints. Often they do this by attacking the operating system itself, using operating system flaws to elevate their privileges.
Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it—just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system.
[...] This virtualization also likely comes at some performance cost, although Microsoft is not saying just what that performance cost is right now.
[...] Application Guard will become available later this year in Insider builds of Windows, hitting a stable version some time in 2017.
(Score: 1, Insightful) by Anonymous Coward on Tuesday September 27 2016, @01:21PM
Is Microsoft admitting that Windows process isolation is crap? Couldn't you achieve a similar thing with running it with a very restricted account?
I would have thought that for x86 the process isolation software and hardware (via CPU features) has had more testing than the isolation from VM features. The x86 world is still relatively new to virtualization: http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/ [arstechnica.com]
http://www.windowscentral.com/microsoft-details-workaround-virtual-machine-bug-windows-10-build-10049 [windowscentral.com]
(Score: 3, Interesting) by Capt. Obvious on Tuesday September 27 2016, @04:34PM
Similar, yes. Identical, no. Since all that matters is the most exploitable piece of the chain, a huge development cost (and runtime cost) for a 1% increase in security makes sense. Additionally, patching real hardware is hard. Virtual hardware is much easier. For example, consider patching a VM to fix row hammering [wikipedia.org] vs. patching the applications running on top of it in a limited process.
Lastly, wouldn't the VM itself be run using process isolation, thereby getting both sets of benefits?
(Score: 2) by frojack on Wednesday September 28 2016, @02:58AM
There is also the distinct possibility that their fancy named Virtualization Based Security (VBS) is nothing but BSD a blob.
No, you are mistaken. I've always had this sig.
(Score: 3, Touché) by fadrian on Tuesday September 27 2016, @01:29PM
It's still being run on a Windows OS in the VM isn't it?
That is all.
(Score: 2, Interesting) by Francis on Tuesday September 27 2016, @01:47PM
Perhaps they could run Windows in a VM on some sort of secured machine?
Or better yet, require that all commands be run through somebody who knows what the fuck they're doing. I've largely given up on Windows because there's a million bugs that they can't be bothered to fix and they expect to be paid even if the bugs do horrible, unspeakable things. Windows it the OS that H.P. Lovecraft would have designed.
(Score: 2) by Bot on Tuesday September 27 2016, @03:21PM
It is part of the strategy to run windows 11 under linux, a VM here, a shell there...
Account abandoned.
(Score: 5, Funny) by DannyB on Tuesday September 27 2016, @05:35PM
Windows 11 Secure Ultra eXtreme
Or simply Win 11 SUX for short.
If Win 11 SUX were really a new Linux with a layer of Windows compatibility, then Microsoft could market it like this . . . .
Don't use other inferior non-Microsoft versions of Linux. Use Win 11 SUX which is a Linux that has been Embraced by Microsoft. Extended with addictively sugar coated features that will Extinguish the competing Linux systems!
Only Win 11 SUX can give you both Linux and Windows compatibility. No other Linux can do this -- even if it has systemd!
Win 11 SUX is the best of both worlds. Compatibility with Linux and the security problems and blue screens of Windows -- in a single OS !
So what are you waiting for? Try it today. Downloads are free*.
* not free as in Freedom
Not even free as in beer
but free as in herpes.
And soon to be compulsory!
The lower I set my standards the more accomplishments I have.
(Score: 1, Funny) by Anonymous Coward on Tuesday September 27 2016, @10:52PM
Windows X 11?
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @02:26AM
> Or simply Win 11 SUX for short.
Is it big, go really fast, and get really shitty gas mileage?
(Score: 4, Insightful) by DBCubix on Tuesday September 27 2016, @01:43PM
So what does this mean for downloading and printing? If the browser is in a virtual machine it would either be purely isolated (e.g., your downloads disappear once the VM is terminated and printing would be disallowed) or semi-isolated with device access to the hdd and printing. For the latter, hooks would have to be made in the VM for printing and downloading which obviates the security mechanism. Plus those hooks are a potential new security vulnerability themselves.
(Score: 1) by Francis on Tuesday September 27 2016, @01:50PM
That's not a particularly hard problem. The easiest thing to do with printing is to just throw up the UAC for confirmation and the downloads can still just go into the downloads folder, it's not the downloading that's the issue, it's the execution that's the issue and you shouldn't be running random binaries from the internet anyways.
But, really, restricting downloads to the folder you select and not allowing them to be run without first completing the download would be a huge step in the right direction.
(Score: 2) by schad on Tuesday September 27 2016, @02:46PM
Downloads go into a special section of OneDrive (the Microsoft version of Dropbox), which is also accessible from the host machine. Printing is a special case of downloading where Edge formats the page as something like a PDF and saves it to OneDrive. Then either the user opens and prints the PDF manually, or the VM software is smart enough to understand that PDFs in a certain location ought to be printed.
That's my guess, anyway. It's absurdly over-complicated, wasteful of bandwidth, and introduces a hard dependency on a Microsoft product, though, so it seems likely.
(Score: 5, Funny) by Anonymous Coward on Tuesday September 27 2016, @03:18PM
translation: Hey! Let's download files to the cloud!
I think someone's kind of fuzzy about what "download" means, and I'm not certain it's me.
(Score: 0) by Anonymous Coward on Tuesday September 27 2016, @03:34PM
yeah, it is not acceptable for something I download locally to end up in a Microsoft owned, operated, scanned and quarantined location.
Computers... they are starting to suck
(Score: 3, Interesting) by janrinok on Tuesday September 27 2016, @04:34PM
FTFY. Although saying that Windows is starting to suck is not very accurate, perhaps it should be 'suck more'.
(Score: 4, Interesting) by Hyperturtle on Tuesday September 27 2016, @05:55PM
Yes! Just when you thought MS couldn't make Windows any worse, for your security you have to store your downloads on their cataloged system. You might be interested in a visit from law enforcement after that accidental CRC collision is matched in their database for discontented citizen related materials, when really it was a photo of puppies, but their replication methods overwrote your download with the official (dis)approved file matching the same hash.
I mean its not like it hasn't happened before. http://www.extremetech.com/computing/179495-how-dropbox-knows-youre-a-dirty-pirate-and-why-you-shouldnt-use-cloud-storage-to-share-copyrighted-files [extremetech.com]
You need not even store your archival backups there (or whatever), because you can be just as accused if you have the wrong dirty pictures show up as the result of a CRC hash. Or your files can get overwritten by someone else's innocent stuff.
It's not going to happen often, but if hundreds of millions of Windows 10 PCs start doing this for even temporary files downloaded and "discarded" soon afterwards, it is bound to happen with a much greater regularity than predicted via natural occurance..
http://preshing.com/20110504/hash-collision-probabilities/ [preshing.com]
(Score: 2) by edIII on Tuesday September 27 2016, @10:56PM
I believe that Microsoft has finally metamorphosed into Mega Maid [youtu.be].
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by schad on Tuesday September 27 2016, @04:32PM
This is the way a lot of people think, though, and unfortunately it's not just Microsoft. How do you copy a file from your laptop to your desktop? Copy it to Dropbox on your laptop, and then from Dropbox to your desktop. Even if you're running an OS and/or environment that would make a direct copy easy, most people don't know how to do it and don't care to learn. The Dropbox Method works fine for them. It has the added advantage of working exactly the same no matter what devices you're using.
Seriously, though, while the implementation would be really dumb, the idea is not a bad one. You don't want to allow direct filesystem access because filesystems are complex and therefore hard to secure. Network filesystems like CIFS and NFS are even worse. Simpler is better, and most of the Dropbox-alikes either use WebDAV or something very similar. Personally, I think a very simple HTTP PUT-only server would be even better: don't include features that your specific use case doesn't need. But the general idea is sound.
(Score: 2) by janrinok on Tuesday September 27 2016, @04:38PM
Er, ssh, rsync, and a multitude of other options. Both computers are on networks (they are both accessing the Internet) - why go through Dropbox?
(Score: 2, Disagree) by janrinok on Tuesday September 27 2016, @04:40PM
OK, after re-reading I can see what you are saying, but if people can't be bothered to learn how to use their computer then they probably aren't be concerned about giving all their data to Microsoft.
(Score: 2) by Hyperturtle on Tuesday September 27 2016, @05:48PM
I agree with you 100%, at least I did, until I tried to force various non-PC products to sync with my own server(s). This is not an easy task in many cases, and the means to do so and effort required is not the same across the gamut of consumer options.
It appears that the industry has designed most consumer devices to not allow for that. If you have to demand a consumer to root their device, it likely is not going to work.
Filesharing locally used to be drag-and-drop (or mounting a volume, but thems hackerspeak) but it can be very difficult to get a number of non-PC devices to even recognize there is a local network to do something with, let alone find a file share to drag-and-drop from.
(Score: 2) by janrinok on Tuesday September 27 2016, @06:05PM
Fair enough, my bad, I assumed that you were only concerned with lappies and PCs. Not owning any other mobile devices, I don't have a problem with transferring data to and from them. No smart phone or whatever else is the latest 'must-have' device. And why don't I own one? Because they don't let me do what I want to do with my device.
I love it when local companies want my mobile/cell number, and some websites wont let me join without telling them what my phone number, facebook, twitter, or some other ID is. I'm definitely getting old .....
(Score: 3, Insightful) by Hyperturtle on Tuesday September 27 2016, @09:22PM
You should pick up a $30 tablet, so that you can see what happens on them (and what you are missing from a technical perspective).
I believe Sun Tzu had written that one has to know one's enemy in order to best defeat them, or at least be aware of the dangers they present even if your only plan is to hightail it and avoid them at all costs.
(Score: 2) by janrinok on Wednesday September 28 2016, @06:33AM
It was, and I have.
(Score: 2, Insightful) by coolgopher on Tuesday September 27 2016, @02:00PM
...that downloading and running untrusted code is perhaps not the best approach to security.
(Score: 4, Insightful) by Scruffy Beard 2 on Tuesday September 27 2016, @02:09PM
We are told to get with the times when objecting to Client-side scripting.
(Score: 2) by The Mighty Buzzard on Tuesday September 27 2016, @02:35PM
We're told that too. We mostly give them the bird in return.
My rights don't end where your fear begins.
(Score: 1) by DeVilla on Friday September 30 2016, @02:44AM
See below: https://soylentnews.org/comments.pl?sid=15720&cid=407061#commentwrap [soylentnews.org]
(Score: 4, Insightful) by lgw on Tuesday September 27 2016, @06:19PM
So you browse with JS turned off everywhere? I wish that were practical. "Downloading and running untrusted code" is just how the web works these days, sad as that is. So, the more isolation the better.
(Score: 4, Informative) by Marand on Wednesday September 28 2016, @05:26AM
So you browse with JS turned off everywhere? I wish that were practical. "Downloading and running untrusted code" is just how the web works these days, sad as that is. So, the more isolation the better.
Close enough. NoScript, blacklist all domains by default. Occasional temporary whitelisting for a site, and a handful of them get permanently whitelisted if I visit often and believe they're trustworthy enough. Despite everyone's claims that the web is horribly broken like this, I've managed just fine. Most sites have sane fallbacks when javascript is disabled, and the ones that don't usually work fine with only the one domain whitelisted (no need for third-party ones). A few need two domains whitelisted: the site and some kind of CDN or other secondary site (like a media-serving domain).
Sometimes a site will behave so poorly that it won't work like this, but it's rare. Usually the only casualty to my NoScript use is a page's advertisements, boo fucking hoo.
(Score: 0) by Anonymous Coward on Tuesday September 27 2016, @08:57PM
Here is the problem.
1. you want a newspaper web, where you read but hardly interact
2. people want interactive web
Doing POST and GET on entire page is as interactive as a slide-show. Anyway, some people use part of the Internet services like you propose.
https://stallman.org/stallman-computing.html [stallman.org]
(Score: 2) by coolgopher on Wednesday September 28 2016, @02:09AM
I disagree with both of your statements.
1. No. I want a clear distinction between passive content and code (applications). News-"papers" -> passive content. Gmail -> app. Under no circumstance should the gmail app get to run anything on my system without my express authorization. There's a damn good reason why modern CPUs have page protection bits saying whether the bytes kept there are allowed to be executed or not. The current browser paradigm willfully ignores what other areas of the computing industry learned years and years ago.
2. No, people want stuff that works and let them do things they like doing. They couldn't give two figs about how that happens under the hood. It's on us techies to make what's under the hood not suck. Currently we're doing a bad job at that.
And bless Stallman's little heart - we need someone on that extreme end of the scale to help balance the other bunch.
(Score: 1, Insightful) by Anonymous Coward on Tuesday September 27 2016, @02:42PM
to give you the illusion of safety.
FTFY.
(Score: 2) by DannyB on Tuesday September 27 2016, @05:39PM
Are you questioning the security or soundness of Microsoft Maginot Line Defender?
It has all the robustness, stability, reliability and security that you've come to expect from the Microsoft name.
The lower I set my standards the more accomplishments I have.
(Score: 1) by Ken on Tuesday September 27 2016, @11:13PM
Locks only keep the honest people out...
(Score: 2) by DannyB on Wednesday September 28 2016, @02:06PM
Locks also keep dishonest but stupid people out.
The lower I set my standards the more accomplishments I have.
(Score: 2, Interesting) by Anonymous Coward on Tuesday September 27 2016, @02:47PM
MS can't make a secure OS but they think they can make a secure VM.
(Score: 3, Funny) by inertnet on Tuesday September 27 2016, @02:50PM
... is living on the Edge.
(Score: 0) by Anonymous Coward on Tuesday September 27 2016, @03:04PM
If this is anything like Bromium, you're going to need to buy a much faster PC :-)
(Score: 2) by joshuajon on Tuesday September 27 2016, @08:22PM
That looks interesting. It reminds me of Qubes.
(Score: 1, Offtopic) by Gaaark on Tuesday September 27 2016, @04:02PM
Oh, Jolly good, ol' chap! Now I can browse porn securely and only Microsoft will know!
I feel so secure now! Pip pip!
Oh wait, I'm BRILL! I use Linux! Tatata MS!
Flint is your King!
Jeez, get off the MS pot already.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Tuesday September 27 2016, @06:33PM
How will this affect vmware and virtualbox? Is this a case where I have to play with the settings or just not use/disable edge?
(Score: 3, Informative) by Anonymous Coward on Tuesday September 27 2016, @09:33PM
Windows 10 Enterprise Will Soon Run Edge in a Virtual Machine to Keep You Safe
FTFY.
(Score: 2) by Marand on Wednesday September 28 2016, @05:32AM
I modded you up, hopefully others will notice.
There's a lot of discussion here (and elsewhere) about this change, but everyone seems to miss that it only applies to W10 Enterprise, aka "the one almost nobody uses outside of businesses"
It's a security feature that will only be available for a fraction of users of an already niche OS. For most people it may as well not exist, and yet it keeps showing up in the news, discussed as some huge security improvement. The PR machine is working overtime on this, apparently.
(Score: 2) by Marand on Wednesday September 28 2016, @05:34AM
It's a security feature that will only be available for a fraction of users of an already niche OS
Correction: I meant to say "an already niche browser" there.
That's what I get for not double-checking before posting.
(Score: 2) by maxwell demon on Wednesday September 28 2016, @06:52AM
Well, Microsoft is currently working hard to make Windows a niche OS. It takes time to go from market domination to niche, though.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @08:33AM
So you're saying it only covers an Edge case?
(Score: 2) by Bobs on Tuesday September 27 2016, @11:12PM
This new feature also helps drive people to / lock users into using the Microsoft proprietary browser on windows.
Remember the anti-trust issues with bundling Internet Explorer?
Now the Microsoft solution is secure and other browsers do not have access to run in the MS VM.
Justification for requiring / only supporting Windows browser in the OS.
The others are insecure and slower when running on Windows