We talk a lot about server virtualization in this column, but not so much about the virtualization technology used on desktop machines. Well today is different.
That’s because Microsoft, in its continuing efforts to distance itself from its troubled Internet Explorer browser, has unveiled plans to run Windows 10’s new Edge browser in a virtual machine.
The reason for this is that browsers are popular entry points for all kinds of malware, and by running Edge in a virtual machine the company hopes to isolate it from these attacks.
The Edge browser already runs its processes in a sandbox to try to isolate the browser’s activities from the rest of the computer, but hackers can break out of the sandbox by exploiting flaws in the underlying operating system to elevate their privileges.
Enter Windows Defender Application Guard (WDAG). (Or at least enter the announcement: Application Guard is slated for availability with the next major update to Windows 10, due next year.) Essentially, WDAG will run untrusted sites (more about these in a minute) in a stripped-down, hardened virtual machine with just the minimum components of Windows necessary to run the Edge browser.
What’s the Benefit of Browsing within a Virtual Machine?
The benefit of this is that it presents a smaller operating system attack service to hackers, and it will provide much better isolation from the underlying host system: processes in the virtual machine won’t be able to access other applications, host storage, or the underlying operating system.
So even if malware from a web page could compromise the virtual machine it would find nothing of interest and would be unable to “see” anything in the underlying PC or anything else connected to it on the network, Microsoft says. Once the browser is closed the virtual machine is obliterated, along with any malware that it might have picked up.
The system is reminiscent of micro-virtualization security products such as Bromium‘s. Only in this case the Edge browser is the only thing that’s protected. (Bromium is a virtualization-based security company that we first looked at in this column five years ago.)
Potential Gotchas with Application Guard
Now one catch is that Application Guard will only be available on Windows 10 Enterprise, and administrators will have the task of deciding which web sites are trusted (and which bypass these security measures — that could include internal accounting web applications, for example) and which are untrusted and subject to Application Guard. (Admins can also decide if users can use the clipboard or print from untrusted sites.)
Another catch is that the whole shebang relies on a processor with hardware virtualization support, and that means that not all desktop (or laptop) machines support it.
Yet another potential gotcha is that a computer can run only one hypervisor at a time, on which to run multiple virtual machines. So if users want the protection of Application Guard in Edge browsing sessions, they won’t be able to use other hypervisor-using products such as VMware Workstation or Oracle’s popular VirtualBox. Excluding other vendors’ virtual machine technology may be a side benefit to Microsoft (as it is keen for everyone to use Hyper-V), but it’s likely to cause headaches for administrators and their users.
And Application Guard is not supported on consumer versions of Windows 10. It’s not clear why this might be — it could be a marketing move, or Microsoft may have decided that expecting consumers to choose trusted and untrusted sites is simply not viable.
Another possible reason is that browsing in this way means persistent cookies can’t be used: that’s because the virtual machine is torn down each time the browser is closed. That may be acceptable in an enterprise environment, but consumers may balk at that.
There’s one more drawback that’s worth mentioning as well. Despite the use of hardware-supported virtualization, there’s likely to be a performance impact to using this type of virtual machine.
Yet despite all these catches there’s no denying that this use of virtualization is a step forward for end-user security — especially when it’s built into the operating system rather than supplied as a third-party anti-malware solution.
Who would have thought ten years ago that virtualization technology would move out of the data center and onto the desktop right inside Windows?
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.