The next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging, because the hacker will be seeing the browser as a separate computer.
Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10.
Windows 10’s Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine.
The Edge browser already creates a secure sandbox for its processes. The sandbox has limited access to the rest of the system and its data. Hackers get around this by attacking the operating system itself, using operating system flaws to elevate their privileges, but if they attack the OS of a virtual computer that is all they will get control of.
It can’t see other processes, it can’t access local storage, it can’t access any other installed applications, and, critically, it can’t attack the kernel of the host system.
Sadly, the software will not be available to the great unwashed. Only uses who splash out on Windows 10 Enterprise will get the software.
Application Guard will become available later this year in Insider builds of Windows Enterprise, hitting a stable version some time in 2017.