Windows 10 will soon run Edge in a virtual machine to keep you safe

[Batu69]

Application Guard extends Virtualization Based Security to protect against browser flaws.

Untrusted sites get a minimal set of Windows Platform Services and no access to the rest of the system.

 

ATLANTA—Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging.

 

Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network.

 

The Edge browser already creates a secure sandbox for its processes, a technique that tries to limit the damage that can be done when malicious code runs within the browser. The sandbox has limited access to the rest of the system and its data, so successful exploits need to break free from the sandbox's constraints. Often they do this by attacking the operating system itself, using operating system flaws to elevate their privileges.

 

Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it—just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system.

 

In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.

 

Microsoft recognizes that this feature would be desirable on consumer machines, too, and not just for Edge. Other browsers such as Chrome would also benefit from this kind of protection. So too would Office's "Protected Mode" that's used for opening documents from untrusted sources.

 

However, doing this has certain complexities. Currently, virtualized sites can't store persistent cookies, for example, because virtual machines get destroyed when the browser is closed. This may be acceptable for a locked-down enterprise environment, but it isn't a good fit for consumers.

 

There are also compatibility constraints. VBS installs the Hyper-V hypervisor. This requires a processor with hardware virtualization support, and it also requires I/O virtualization (such as Intel's VT-d) to protect against certain known attacks. This means that some systems in the wild won't support it. There are also software concerns; only one hypervisor can be installed at a time, which means that a machine that's running Hyper-V cannot also run VMware Workstation or Virtual Box, say, or software that uses virtualization behind the scenes, such as the Bluestacks Android-on-Windows software.

 

This virtualization also likely comes at some performance cost, although Microsoft is not saying just what that performance cost is right now.

Nonetheless, this use of virtualization to harden a system is an exciting move. Experimental and special-use systems such as Qubes OS have used virtualization in a similar way, but are far from mainstream offerings. Microsoft is uniquely positioned take this kind of capability mainstream.

 

Application Guard will become available later this year in Insider builds of Windows, hitting a stable version some time in 2017.

 

Article source

[D1v1n3D]

now they should create an encrypted partition under another partition format making it even more secure. But never completely secure, I honestly don't think complete security is even possible.

[Petrovic]

Microsoft seems to have embarked on a mission on making Windows 10, the most secure operating system. As such, it has decided to add a slew of security enhancements across a range of its products. Windows Defender Application Guard happens to be one of those enhancements that found a mention in yesterday’s keynote.

 

The new capability that would come as the next major update to Windows 10 will be in the form of Windows Defender Application Guard. The feature would enable Edge browser to run in a lightweight virtual machine. Running the update in a virtual machine would reduce even remote possibility of a system getting infected, thereby ensuring safety and protection of the enterprise’s devices and its corporate network.

 

Windows Defender Application Guard
This feature uses virtualization technology to open links clicked while browsing the Internet or checking the email in a sandboxed environment (an isolated environment to test or analyze software in a protected environment) to keep malicious script out of user’s network and devices.

 

In its very first avatar, Application Guard will only be available for Edge browser, since  the majority of the attacks start in the browser. As such, this level of protection assumes much importance. This feature will become a part of Microsoft Edge and will be available on Windows 10 somewhere in 2017, and  until then, it is will be tried and tested with members of the Windows Insiders program.

 

Th older systems may not be able to keep up with this development, and so possibly this is one of the reasons why Microsoft insists that the Silicon support policy for Windows 10 should back virtualization support in Windows Defender Application Guard.

 

From the above, it is clear that Edge browser might not necessarily be the most feature-rich browser, but that doesn’t dampen the spirit of its developers to make it the most secure browser.

 

 

Let us take a look at Windows Defender Application Guard and uncover some of its prominent features.

 

Keeping in view the latest developments where many business establishments worldwide have come under direct security threat, this new layer of defense-in-depth protection offered by Windows Defender Application Guard is welcome.

 

It is an established fact that over 90% of attacks are initiated via a hyperlink, designed specifically to:

1. Steal credentials
2. Install malware
3. Exploit vulnerabilities.

So, initially, a corrupt email often under the guise of legitimate authority in the company, may request the employee to click a link to read a supposedly important document.

The link is specially crafted to install malware on the user’s machine. Once a connection is established on that computer, the attackers can easily steal credentials and look for vulnerabilities in other computers on the same network.

 

With virtualization technology supported in Windows Defender Application Guard, such potential threats are not only identified and segregated from the network and the system but also removed completely when the container is closed.

 

Secondly, when an employee browses to a site that is not trusted by the network administrator, Application Guard jumps into action and silently removes the potential threat. As shown in the image below outlined in red, Application Guard creates a new instance of Windows at the hardware layer, with a completely different copy of the kernel. The underlying hardware (Windows Defender Application Guard) enforces that this separate copy of Windows has no access to the user’s normal operating environment which includes access to memory, local storage, other installed applications and corporate network endpoints.

 

 

In-depth defense for Enterprise

Windows Defender Application Guard is capable of offering its customers a trouble-free browsing experience by protecting enterprise systems from advanced attacks that try to seek an entry to the network and devices via the Internet. It even has a definite plan of action when malicious code manages to enter the network. The ingenious tool silently coordinates with Microsoft Edge to open that site in a temporary and isolated copy of Windows. In this case, even if the attacker’s code is successful in attempting to exploit the browser, the attacker finds their code running in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network. The attack thus loses its prominence and invariably gets disrupted.

 

Soon after the browsing session is complete, the temporary container is thrown away, alongside the malware. All this happens in a quick succession and the user does not even get a hint of attack having taken place. After deletion, a fresh new container is created for future browsing sessions.

 

Web developers and Application Guard

The news that brings much joy for the web developers is that they do not need to do anything different or new with their site code – Microsoft Edge renders sites in Application Guard fundamentally the same way it does in the host version of Windows. There is no essential requirement of detecting malicious code when Microsoft Edge is running in this mode, nor any need to account for behavior differences. Since this temporary container is destroyed when the user is done, there is no existence of cookies or local storage when the user is finished.

 

In addition to this, Microsoft made other security announcements like Windows Defender Advanced Threat Protection (WDATP) and Office 365 ATP now having the capacity to mutually share intelligence and assist IT professionals in investigating and responding to security threats across both Windows 10 and Office 365 in a timely manner.

For more details on this topic, visit the Windows Blog.

Article source

[Batu69]

Topic moved from Security & Privacy News forum & merged.