Browser security is an essential element to an organization’s cyber security. Microsoft hoped its new Edge browser, introduced with Windows 10, would be a leap forward. And it is. However, with attackers changing their tactics it hasn’t been enough.
So this week the company announced a virtualized browser for enterprises in a bid to take another leap. Called Windows Defender Application Guard for Windows 10 Enterprise, Microsoft said it provides “unprecedented protection against targeted threats” by using its Hyper-V virtualization technology to block malicious links.
However, two industry analysts interviewed by Computerworld U.S. gave it mixed reviews although Application Guard hasn’t been rolled out yet.
“The whole idea of containerization has a basic security flaw,” it quotes John Pescatore, director of emerging security trends at the SANS Institute, as saying. “The idea is that if malware starts running in the [container], you just shut it down. But what happened while the malware was running?”
Users could be duped into offering up their passwords inside an Edge tab guarded by Application Guard just as easily as if they were running a different browser, he added.
On the other hand Patrick Moorhead, principal analyst of Moor Insights & Strategy, said “This is one of those ideas where you say, ‘Why didn’t someone do this before?'”
Moorhead called the solution a first for a mainstream browser. “This is a different way to virtualize,” he said, comparing it to the more traditional approach of crafting a virtual machine using software, such as VMware’s line. In the virtual space thus created, “Malware can’t access your files, it can’t scrape passwords,” Moorhead added.
Which is the truth? Administrators will have to wait: Application Guard for Microsoft Edge will become available to Windows Insiders in the coming months, and roll out more broadly next year.
Here’s how it works: Microsoft [Nasdaq: MSFT] figures over 90 per cent of attacks use a hyperlink in email, text messages or social media postings to initiate an attack, which then spreads from one PC throughout the network.
When a user browses to a trusted web site Edge operates normally But when the browser goes to a site that is not recognized or trusted by the network administrator, Application Guard isolates the potential threat by creating a new instance of Windows at the hardware layer, with an entirely separate copy of the kernel and the minimum Windows Platform Services required to run Microsoft Edge.
If the lure is a spearphishing email and the user clicks on a malicious link Application Guard lets Edge open that site in a temporary and isolated copy of Windows. Even if the attacker’s code is successful in attempting to exploit the browser, the code runs in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network, says Microsoft. “As soon as the user is done, whether or not they are even aware of the attack having taken place, this temporary container is thrown away, and any malware is discarded along with it. There is no way for the attacker to persist on that local machine, and even a compromised browser instance has no foothold to mount further attacks against the company’s network. After deletion, a fresh new container is created for future browsing sessions.”
“The underlying hardware enforces that this separate copy of Windows has no access to the user’s normal operating environment,” says Microsoft. “Application Guard’s enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker. This separate copy of Windows has no access to any credentials, including domain credentials, that may be stored in the permanent credential store.”