Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Windows Communications Microsoft Operating Systems Privacy Software The Internet News Build Technology

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe (arstechnica.com) 172

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.
This discussion has been archived. No new comments can be posted.

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe

Comments Filter:
  • by fuzzyfuzzyfungus ( 1223518 ) on Monday September 26, 2016 @07:21PM (#52966491) Journal
    Hooray! A security feature exclusive to Windows 10 Enterprise customers. That will substantially cut down on the actual difference this makes.
    • I can't get to Ars at work, so this is for Enterprise edition and not Pro? Makes it really something I don't care about, agreed.
      • by vux984 ( 928602 ) on Monday September 26, 2016 @08:38PM (#52966811)

        Its rapidly becoming the case that the enterprise edition is the 'new' pro edition.

        Whereas with XP through 8, I just wanted to have pro to be able to run my own IIS, accept incoming RDP, not have to deal with the idiot simplified user permissions etc, with win8 pro came hyperV... etc In each case, Home edition was awful, while Pro was a good OS.

        With 7/8 Enterprise has some extra bitlocker stuff I think? And the VLA license management features that only an enterprise would need.

        But with 10, "pro" is garbage too, and all the features I actually want are now in Enterprise edition. (Turn off telemetry, more control over windows update, Edge in a Virtual Machine...)

        So im coming to the conclusion that us 'power users' that until now always wanted pro should now be looking for the enterprise edition.

        Of course enterprise is currently a lot more expensive than pro, with recurring subscription fees.

        But this is looking to be the carrot and stick approach; (and mostly for businesses -- us power users are just caught in the middle of it.) Home users are being corralled into Windows 10 Home (and Pro at this point is really just Home+) where their updates are managed and theyre expected to be all appy and cloudy and monitored with telemetry.

        While businesses (and people) who need to get shit done, and don't want their windows computers scheduling an update before an important meeting, and don't want to send telemetry to redmond,etc, etc... (i.e. people like me) -- should be using enterprise.

        Us power users should be looking to use enterprise. (Assuming as always that we wish to use windows at all, which in my case at least, while I love my linux -- I am not interested in the huge compromises necessary to make it my primary desktop.

        Ah but Windows 10 Enterprise is nasty for individuals to get a hold of what with Microsoft VLAs and the byzantine and downright hostile Software Assuarance licensing crapola.

        So when I read about something like this...

        Windows 10 Enterprise E3 / 7$ seat / month. And it sounds like its being aimed to be run like office 365... suddenly things start to come into focus...

        http://www.pcworld.com/article... [pcworld.com]

        " It's worth highlighting, though, that a business of one employee can take advantage of it, however. "

        Interesting right!? (I mean yeah, this is /. so the pitchforks are out in force... and I should switch to linux everything... but think about it rationally...)

        There is going to be the non-recurring windows 10 home edition and the home+ (aka pro), the spyware adware versions. And there is going to be Windows 10 enterprise, the only one businesses and power users will want but at $7/seat/month.

        So If one seat of Enterprise really is per user? and I can put it on my desktop, laptop, and a couple hyperv virtual desktops like i can Microsoft office... all for 84/year... and I can turn off automatic updates and do them when i want, and I can turn off telemetry...

        On the one hand... ugh... rent seeking subscription -- the business model for companies who really can't compellingly improve there product but still want the same revenue they were getting when each release was a must-have. And yeah.. Windows has reached that point I guess. "XP does all I need" people are still all over the place.

        On the other hand... $7/month for an actual good windows user experience with the kind of control I want over it, with continual support in the form of antivirus and security updates...ok... I'm listening.

        • I could live with $7 a month if I can suspend it for deployments and such. I don't want to pay $42 while I'm overseas and not touching it as cheap as that sounds. I'll look into it, thank you. Maybe they have a military/student discount.
        • I am not a fanboy of WIndows 10 by a long shot but WIndows 10 pro does:
          1. Have the ability to control Windows Updates including defer feature updates ala Debian style.
          2. GPO support
          3. Pro has the same Hyper-v and RDP options. If you go under settings go to developer mode to turn them on by default
          4. IIS support
          5. The ability to pick when updates are applied

          Windows 7/8 have spyware too unless you want to be insecure. Chrome and your phone already do this anyway.

          The only thing the enterprise edition has is to

          • by vux984 ( 928602 )

            I don't disagree with you. The trouble is that I'm finding pro is steadily becoming more 'managed by microsoft' than 'managed by me', and increasingly it's becoming an 'ad delivery platform'; given Microsofts positioning of Windows 10 as the 'last version of windows' and continually supported and updated for free... I read that as with Windows 10 "You're going to be the product now. Not the customer".

            So while I get the 'features' like hyperV and GPO etc... I don't get enough control over stuff like the upda

            • Alright I want examples. If I am going to consult I can save customers money by using the pro version.

              It seems slashdot as the last 5 years is turning into Stalins saying of repeat a lie enough and it will be truth. I see no reason why the enterprise version has more features.

              From what I read here from slashdotters the pro version has no GPO support whatsoever, all commercials that take up full screen ads, all updates forced with no settings, etc. I have news? I own 10 pro! I see nothing of the sorts other

              • by vux984 ( 928602 )

                If I am going to consult I can save customers money by using the pro version.

                I never said it would save money, per se. Although it might. Depending on how the per user enterprise licensing actually works out when it comes to VMs, desktops, laptops etc.

                From what I read here from slashdotters the pro version has no GPO support whatsoever, all commercials that take up full screen ads, all updates forced with no settings, etc. I have news? I own 10 pro! I see nothing of the sorts other than tinfoil hats getting +5s.

                I own it too, several copies (6+ at least in my household). I never said it didn't support GPOs or anything. And you are right, so far other than telemetry and some issues with updates, all the nonsense can be turned off. But I'm tired of rebooting my PC after a big update having to find some new crap that needs to be turned off on all

      • Yup, not Pro. It seems increasingly to be the case that "Pro" just means "Home; but can join the domain"; while all the actually pro features are Enterprise only.
        • What are they?

          Besides Telemetry I can not find any difference and this is repeated over and over like it is truth. What can the enterprise do that makes it worth renting my own computer over the pro?

    • Hooray! A security feature exclusive to Windows 10 Enterprise customers. That will substantially cut down on the actual difference this makes.

      Actually that could influence a lot of Slashdot readers. There's plenty of slashdotters working for the man, because that's where a lot of interesting jobs are. Unfortunately, Microsoft not giving an API for sandboxing will probably mean that these slashdotters will have to use Edge, because lots of Windows sysadmins will outlaw other browsers besides Edge :-(

      • Sure there are. %appdata%/lowrights is where apps like IE and Chrome are sandboxed with restricted privileges for threads

  • by jxander ( 2605655 ) on Monday September 26, 2016 @07:29PM (#52966529)

    Well, I already keep Win10 sequestered inside a VM, so now I'll be running a VM inside a VM?

    How's that meme go? "Yo dawg ... "

    • This reminds me of a scene from Aliens:

      Ripley: "These people are soldiers, Newt. They're here to protect you."

      Newt: "It won't make any difference."
    • Hyper-V in Windows 10 anniversary and server 2016 supported nested virtualization so yes it will work.

  • It sure would be nice if our OS ran every single program and app in its own private VM, with individually tailored permissions.
    • by somenickname ( 1270442 ) on Monday September 26, 2016 @07:55PM (#52966651)

      You could do this on linux if you wanted. Using a tool like firejail, you can run all your software in lightweight sandboxes (linux namespaces). It comes with custom profiles for 100+ desktop/server applications and it's easy to write more. I wouldn't recommend converting all of /usr/bin to run under firejail as this would certainly cause issues but, I run all my desktop applications with it and it's worked well.

      • It sure would be nice if our OS ran every single program and app in its own private VM, with individually tailored permissions.

        You could do this on linux if you wanted. Using a tool like firejail, you can run all your software in lightweight sandboxes (linux namespaces). It comes with custom profiles for 100+ desktop/server applications and it's easy to write more. I wouldn't recommend converting all of /usr/bin to run under firejail as this would certainly cause issues but, I run all my desktop applications with it and it's worked well.

        I believe FreeBSD/PC-BSD have a robust jail system as well. FreeBSD also has 'bhyve' and 'iohyve' which together can now support recent Windows versions that require UEFI support emulation.

        Howto here: http://pr1ntf.xyz/windowsunder... [pr1ntf.xyz]

        Haven't attempted it myself so I have no personal experiences or information on Windows versions and compatibility other than the blog article linked a

      • Isn't that what Qubes is all about? https://www.qubes-os.org/tour/... [qubes-os.org]
    • The only permission choices you will get is whether they share all of your data with everyone that pays or just 99% of it.

  • by stooo ( 2202012 ) on Monday September 26, 2016 @07:39PM (#52966581) Homepage

    >> Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe

    Correction : Windows 10 Will Soon Run Edge In a Virtual Machine as a desperate attempt to try to Keep You Safe

    • Actually: Windows 10 Will Soon Run Edge In a Virtual Machine as a desperate attempt to try to Keep You Safe from all the other threats to your privacy.

      Remember: It's hard to sell data everyone already has.

    • by Rob Y. ( 110975 )

      More like Windows 10 will Soon Run Edge in a Virtual Machine partly to keep you safe and mostly to have an advantage to hype over Chrome and Firefox, which already keep you pretty safe, but y'know, you can never have too much security.

      Why there's no provision to allow other apps to run this way is hard to fathom in any other context.

  • OS / Browser (Score:3, Insightful)

    by hunter44102 ( 890157 ) on Monday September 26, 2016 @07:41PM (#52966595)
    remember the days Microsoft said they cannot separate the browser. now they are forced to from a security standpoint
  • by xxxJonBoyxxx ( 565205 ) on Monday September 26, 2016 @08:05PM (#52966695)
    I don't think the author of the article understands what a password hash is if they think that passwords can be decrypted from them.
    • I don't think the author of the article understands what a password hash is if they think that passwords can be decrypted from them.

      They can and are. "Salting" the passwords with extra complexity makes it a lot harder (to the point of impractical to crack if done right) and is the usual practice now to avoid situations like this when it was not done right:
      https://techcrunch.com/2016/05... [techcrunch.com]

  • This is a good thing (Score:4, Informative)

    by Gumbercules!! ( 1158841 ) on Monday September 26, 2016 @08:15PM (#52966717)
    I know this is Slashdot and it's essentially illegal to say "good" and "Microsoft" in the same sentence but, "good". I don't plan on using Edge any time soon but I still applaud any security based efforts made by mainstream OS vendors, that can help improve things. I know this won't stop idiots downloading "movie.torrent.exe" and running it but at least it will significantly cut down on drive by downloads of malware through hacked ad servers and out of date Flash. That's got to be a good thing.
  • So this is basically saying that we can no longer depend on the OS to protect us against privilege escalation attacks. The bad guys will have to concentrate on breaking out of VMs or, at least in this case, attacking through the access that the Edge VM has to system resources.

    • So this is basically saying that we can no longer depend on the OS to protect us against privilege escalation attacks. The bad guys will have to concentrate on breaking out of VMs or, at least in this case, attacking through the access that the Edge VM has to system resources.

      No modern OS is immune to privilege escalation attacks. Even a formally verified OS would probably still be susceptible to them due to unexpected interactions. Never mind hardware based attacks such as race conditions and rowhammer. If

  • If you blow out the sandbox it's running in, you still lose all your browser data, and are now stuck without a browser unless you reload the OS or have already downloaded alternate browsers, which DON'T run sandboxed.

    Good fuckin' going!

  • Does this mean they'll finally fix network access for hyper-v hosted VMs when the host system is connected via wifi?

    Just that right now it's a fucking shitfest.

    Or maybe they're creating a whole new hypervisor for Edge, that will actually work.

    • It works fine on my surface pro 3. Maybe it is your hardware.

      You did create an external switch called Internet right? Hyper-V is a type 1 hypervisor that runs underneath the OS so it needs a switch created first before it can share it with the host OS that runs on top of it

      • by Cederic ( 9623 )

        https://blogs.msdn.microsoft.c... [microsoft.com] is a useful resource, that includes "Unfortunately, this approach does not always work."

        No, no it doesn't.

        I lost patience with the NAT approach. I'm not a Windows admin, a network specialist or a virtualisation expert so I decided to defer the day or two of learning and experimentation for when I have energy and time.

        Or Microsoft could fix the shitty hypervisor. Seriously, when it's easier to download software from Oracle you know there's something broken.

        • First off Hyper-V is a type 1 hypervisor. It runs underneath the OS as the host OS (in contrast to Vbox and VMware Workstation) is really another guest that runs on top of hyper-V.

          Basically the hostOS is the parent with more control of the children guests. it is like this as the hypervisor runs at ring -1 underneath the kernal at the cpu.

          I disagree as last weekend I cursed at VMware Workstation for being shitty in i/o and vowed never to run a type 2 hypervisor again. You need to create a switch as the paren

          • by Cederic ( 9623 )

            Just create a switch that is external and add that to yoru Vms and you should be good.

            I should, but I'm not. Welcome to Hyper-V.

  • by dbIII ( 701233 ) on Monday September 26, 2016 @09:36PM (#52967031)
    There used to a disclaimer every time an older VM program ran, I think it was "bochs", which told the user that a VM is not security.
    It only gives you the illusion of it.
    In reality the VM software has to get it's hooks so deep into the hosts networking and other sensitive bits that you can never be sure that software running on the client can't get up to nasty tricks on the host.

    If you want security design for security instead of taking the lazy way out of using something completely different done by someone else and pretend that partial separation for totally different reasons is equivalent to security.


    It's just like expecting to enter a Ford Bronco is a horse race. The name makes it sound like it belongs but it's not the same thing and was never intended to be.
    • by Raenex ( 947668 )

      Security is a spectrum, not a binary situation, and layered solutions provide benefits. So yes, a virtual machine providers security benefits, especially because virtual machines are used for security and violations that break that security are bugs.

      • by dbIII ( 701233 )

        So yes, a virtual machine providers security benefits

        Not really, and effectively zero if it exploits a bug in the VM. The point is these things have been designed without security in mind, they have been designed for a completely different purpose, so they can't ve described as "hardened" - not even the pathetic security catchup game being played with Hyper-V.

        • by Raenex ( 947668 )

          So you can guarantee being able to break out of the VM? I mean, you actually, personally, know that you could do this, and by what method, and could demonstrate it if called upon?

          • So you can guarantee being able to break out of the VM

            Now where did I say that? What's with the lies over something so trivial?
            I wrote what I wrote and not what the strawman in your head is up to.


            This is a very old and well understood problem ( http://www.csl.sri.com/users/r... [sri.com] ) and I suggest you learn about the implications instead of frothing at the mouth in denial.
            When the VM has been designed without security in mind and with hooks deep into the host at the kernel driver level without separation the

            • Read the paper to see how it should be and despair that the Virtual Machines we are talking about are nothing like how it should be.
            • by Raenex ( 947668 )

              Now where did I say that? What's with the lies over something so trivial?

              I'm not lying. I'm drawing an inference from your statements:

              "A VM is not security - idiots"
              "effectively zero if it exploits a bug in the VM"

              If security was as bad as you make it out to be, then why can't you demonstrate a hole?

              Read the paper to see how it should be and despair that the Virtual Machines we are talking about are nothing like how it should be.

              Thanks for the link, and I will read the paper. But imperfectly designed security that actually achieves some security in practice is better than not using a VM at all. I'll keep on using VMs as another layer of security.

              • by dbIII ( 701233 )
                I did not guarantee anything as you know - pretty fucking obvious lie.
                The paper goes into what you, I and many others wish for but we have been delivered the opposite - an application with enough security to stop the honest tacked on as an afterthought.

                Now work on that temper.
                • by Raenex ( 947668 )

                  Now work on that temper.

                  projection [wikipedia.org]

                  • by dbIII ( 701233 )
                    So says the guy who marked someone a "foe" to the person who did not do the same to to person calling him a liar.
                    Pretty fucking passively aggressively weak isn't it? you poor little boy - someone challenges your ignorance and you pretend your response is all my fault. The world must be a very hard place for you to live in.
                    • by Raenex ( 947668 )

                      So says the guy who marked someone a "foe" to the person who did not do the same to to person calling him a liar.

                      Projection sure is a bitch, isn't it? Turns you into a complete hypocrite and fool. Your handle was familiar, but I only remembered our previous entanglement later on. You marked me a foe (check your list) a long time ago, not the other way around. You called me a liar, not the other way around.

                      You're the angry one. All because I challenged your position.

                    • by dbIII ( 701233 )
                      Can you do anything other than whine and get things wrong?
                      All it took for me to find those examples you pretended could not possibly exist was a google search - but it turns out I didn't even have to do that - there is even a wikipedia article FFS!
                    • by Raenex ( 947668 )

                      Can you do anything other than whine and get things wrong?

                      That projection is still going strong. You say this after embarrassing yourself, accusing me of what you actually did, showing yourself the fool and the hypocrite.

                      All it took for me to find those examples you pretended could not possibly exist was a google search

                      Yes, I figured it was just a Google search, since you clearly demonstrated you didn't know of an open hole that exists today, despite claiming that a VM is not security. I know there have been VM security bugs in the past. I didn't need you to search that for me.

                      My point is that they have been fixed because VMs are being used for security. What I

                    • by dbIII ( 701233 )
                      You are bitching about all kinds of shit unrelated to the topic.
                      What does that tell you?

                      virtual machines are used for security

                      Idiocy, but not really yours - you have been fooled by marketing and are only spreading what you have been told.
                      If you had taken a look at wikipedia before using VMs for "security" then you would have known better.

                    • by Raenex ( 947668 )

                      You are bitching about all kinds of shit unrelated to the topic. What does that tell you?

                      That you're projecting again, because that's what you are doing. I'm just responding to your bitching, showing what a hypocrite and fool you are.

                      Idiocy, but not really yours

                      Yeah, it's yours. I'll use working and practical security even if it has design flaws. When pressed, you cannot demonstrate a working exploit today.

                    • by dbIII ( 701233 )
                      I can't help noticing that instead of addressing the examples I gave you decided to attack me instead.
                      Says a lot doesn't it?
                      I don't need to project do I?


                      Using a VM adds a new class of vunerability instead of security. If you want something for security use something designed for it instead of a totally different tool. You are suggesting something akin to hammering in a nail with a drinking glass - WRONG TOOL FOR THE JOB.
                    • by Raenex ( 947668 )

                      I can't help noticing that instead of addressing the examples I gave you decided to attack me instead.

                      I already responded to your examples. I can't help it if you're daft or willingly ignorant.

                      Says a lot doesn't it?

                      Says that you act angry, make a fool and hypocrite out of yourself, and then act like I instigated your nonsense.

                      Using a VM adds a new class of vunerability instead of security.

                      It also adds a new layer of security. If somebody exploits a zero-day in an app, they then have to exploit a zero-day in the VM it's running in. It also prevents a huge swath of attacks from malware that abuse typical permissions found in garden variety desktop setups.

                      If you want something for security use something designed for it instead of a totally different tool. You are suggesting something akin to hammering in a nail with a drinking glass - WRONG TOOL FOR THE JOB.

                      Uh huh. That's why you can't demonstrat

                    • by dbIII ( 701233 )

                      I already responded to your examples

                      A good analogy is that you responded to my proof that horses exist with a request for delivery of a very special pony.
                      Any chance of a real response instead of a pathetic goalpost shift?

                      Linux and BSD are both plagued with monolithic kernels

                      As is Microsoft Windows, OS X and nearly everything else. This is getting weird. Do you really know anything at all about the topic or did you just see my name and decide to try to bait me?

                    • by dbIII ( 701233 )

                      In the meantime, I'll keep on using VMs for security

                      What does your boss think of such an unusual choice for such a task instead of something actually designed for security? That is of course assuming you are doing more than just running a single Window XP instance on your desktop for legacy software and are actually doing what you suggest you are doing.

                      Perhaps your superiors could tell you about zones, jails, containers or the many other tools actually designed for the job?

                      BTW - here are a few more of th

                    • by Raenex ( 947668 )

                      A good analogy is that you responded to my proof that horses exist with a request for delivery of a very special pony.

                      No, that's a really dumb analogy. As I've already told you twice, I never asked for an old bug, as I knew they existed. I asked for a current bug. That this basic point eludes you this far into the thread means you are hopeless dumb or willfully ignorant.

                      As is Microsoft Windows, OS X and nearly everything else.

                      And they all suck when it comes to security exploits, because they are monolithic. Try reading the paper you linked and actually understand it.

                      Anyways, you're a waste of time. You've already embarrassed yourself enough with your hypocrisy and foolishness. N

              • by dbIII ( 701233 )

                I'm not lying. I'm drawing an inference from your statements

                Then look up the word "IF". You know it already? Then you are NOT drawing an inference from my statements.

                The virtual machine software we have directly interfaces with real hardware on a lot of levels - for example Virtualbox putting ethernet cards into promiscious mode. An exploit of the VM could very obviously exploit what the VM has full control over.
                I really don't get why you are so angry when such things are discussed.

              • by dbIII ( 701233 )

                If security was as bad as you make it out to be, then why can't you demonstrate a hole?

                It has been demonstrated as by others - it is such a well known problem that Wikipedia has an article on it:
                https://en.wikipedia.org/wiki/Virtual_machine_escape
                Symantec have written about it:
                https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf
                and there have been items in the news:
                http://www.darkreading.com/risk/hacking-tool-lets-a-vm-break-out-and-attack-its-host/d/d-id/1131254?

                Jails, zones and some o

    • Actually if it is hardened it can certainly help.

      Windows 10 anniversary and server 2016 have safeguarded and hardened VM support in Hyper-V it calls shielded. I./O is limited accept through a layer and network hardening means it won't accept rogue IP addresses as routers which is a classic hacker scheme.

      It is easy to spoof an IP address and advertise as a router to poison DNS as an example.

      This would certainly help against this kind of attack.

      • by dbIII ( 701233 )

        Actually if it is hardened it can certainly help

        The point is these things have been designed without security in mind, they have been designed for a completely different purpose, so they can't be described as "hardened", not even the catchup game years after design with your example.

  • I mean, really, what will keep me safe from the egregious data harvesting of Windows 10? If I do not trust the operating system, then I do not trust anything the operating system does.
  • How about "Windows 10 Will Soon Run Edge In a Virtual Machine For Increased Security"? Ya know...something that doesn't sing the praises of the Benevolent Leader?
  • Thats pretty much throwing the towel and admiting "hey, we just can't get security right".

    • by AHuxley ( 892839 )
      The ads still have to get out, so does the marketing depending on the privacy settings.
      With all the holes and compromise made to let tracking and ads work down to an OS level, expect a few easy ways in and out.
    • Edge != IE 6.

      IE 8 and above had Chrome style security with sandboxing by default and lowrights mode in c:\users\user\%appdata% since 2009! No you did not misread that.

      I still do not use Edge/IE 11 unless I am at work using a corporate site though :-)

      But regardless people need to wake up that it is not 2004 anymore. Any browser that executes code needs to be in a VM sadly if you run from untrusted sources. Flash and javascript execute code which makes them insecure. Even with a sandbox and threading per proc

  • A Good start (Score:4, Interesting)

    by Anonymous Coward on Monday September 26, 2016 @10:54PM (#52967337)

    A good start. But I run the Windows virtual machine inside a virtual machine, because Windows 10 can not be trusted. I don't store any personal information on it, and use it just for games.

    Windows runs BETTER virtualized, because it has simpler hardware, that Microsoft programmers can understand.

    No running for driver CD's, or having Windows brick my machine.

    I can roll back updates just by copying a file.

    The way Windows should be run.

  • Who comes up with these acronyms? That guy needs to get fired.
  • I could mistype something when I'm downloading Chrome and end up in trouble.

  • Basically, all businesses are going to have to subscribe to Windows 10 Enterprise if they want the features they were used to getting from Pro in the past. Microsoft should just merge Home and Pro into one edition and call it Consumer or Ad-and-Telemetry-Supported or something. A lot of places, including my workplace, have been used to getting the features we need from the OEM license of the Pro version of Windows shipped with the PC. This is how Microsoft is going to work around the claim they won't be cha

    • What is wrong with the pro version?

      I keep seeing that repeated here but only thing I can find it typing history isn't recorded.

      My thinking is home users desperately need something like this if it uses shielded VM's that is in hyper-v in server 2016 and Windows 10 anniversary edition as corporations have Junipers and Cisco devices configured for things like rejected spoofed IP addresses and rogue IP's pretending to be routers to poison DNS etc. Home based routers lack these options.

      A network shielded VM can

      • "What is wrong with the pro version?"

        The main complaint I have is that the Pro version lacks certain key features that Enterprises might like. There's no way to disable some of the telemetry/tracking in the Pro version, you can't run the LTSB in Pro, and it's looking like all the interesting stuff is being locked behind that Enterprise edition/subscription. Pro used to be just fine for most enterprises, but now way more companies are going to have to pay monthly for the license to use an OS that the OEM shi

        • Thanks for your reply

          So basically you can opt out of the defered updates of delaying 3 to 4 months of updates to 10 like in the pro to 10 years. That can be a plus for certain industries like hospitals that need to have a certified FDA approved image.

          Anything else? Especially for home users or even medium sized businesses for renting computers. I kind of like the idea of different channels like the pro where you can be 1 version behind with security or go older for just security updates.

  • They say it's not a virtual machine, just an environment that only allows a subset of APIs and capabilities required for the browser to work... Sounds like what SELinux policies do

  • Windows 10 sucks!
  • strange, that they do not recommend to use a dedicated pc for edge.

The reward for working hard is more hard work.

Working...