Microsoft
has unveiled Windows Defender Application Guard for Microsoft Edge, a new
system that will isolate the browser on Windows 10 Enterprise PCs, making them
harder to hack. In a blog, the company wrote that it's "the first operating
system to ship this type of technology alongside a browser." Using the
Virtualization Based Security (VBS) recently introduced for Windows 10, Edge runs inside a small,
virtual "PC," keeping it separate from processes including storage,
other apps and, most importantly, the Windows 10 kernel.
Microsoft
says that while other browsers are "sandboxed" away from
security-sensitive PC areas, they "still provide a pathway for malware and
vulnerability exploits." By contrast, Application Guard uses a hardware
container to completely isolate Edge from the rest of the PC.
The system
is only available on Windows 10 Enterprise for now, so administrators will need
to choose sites that do and don't run inside Application Guard. When it's
enabled, malware can't penetrate the protective VM "box" around Edge
to access the rest of the system. "Even if an untrusted site successfully
loads malware, the malware is unable to reach beyond the isolated container to
steal data or permanently compromise devices or the network," Microsoft
wrote.
Running Edge
in a virtual machine will slow it down a bit, but Microsoft says it uses the
minimum resources necessary to keep it light. The other hassle is that an
Application Guard-enabled session won't save your cookies or other data,
because closing the browser completely wipes all memory of the session. Those
things mean that, for now, the VM-protected Edge system isn't quite ready for
non-enterprise users just yet. However, in an age of constant hacking, a browser that isolates your system from
danger seems like an idea whose time has come.
EmoticonEmoticon