After outing the Chromium-based Edge preview, Microsoft has released a new extension that brings a hardware-based security feature to Google Chrome and Mozilla Firefox that should protect users from web-based malware.
The extension, dubbed Application Guard under the Windows Defender brand, redirects dodgy websites to an isolated instance of the Microsoft Edge browser in a container on a Windows 10 machine.
That means Chrome and Firefox users on Windows 10 with the Application Guard extension could open a link on the non-Microsoft browsers and then have the website open in a shielded instance of Edge, which Microsoft recently rebuilt on top of Google’s open source Chromium code.
The Application Guard extension relies on Microsoft’s Hyper-V virtualisation technology to isolate untrusted files from the internet.
“If an untrusted website turns out to be malicious, it remains within Application Guard’s secure container, keeping the device and your enterprise data protected,” Microsoft explains.
Microsoft thinks the hardware-based isolation technology, which separates the operating system from the normal operating environment, such as memory and local storage, will be valuable to organizations that use different browsers to ensure users can access the web and internal apps.
“We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages,” said Rona Song of Microsoft's Windows platform security team.
To illustrate the risk to multi-browser environments, Microsoft highlights that in 2016 and 2017 there were fewer than 600 security bugs per year across Edge, Internet Explorer, Chrome, and Firefox. In 2018 there were nearly 800 known security flaws.
Microsoft is also stripping Google’s implementation of over 50 different services that were tied to Google and either turning them off or replacing them with its own services.
When users of Chrome and Firefox with the Application Guard extension installed, the extension checks the URL against a whitelist of sites defined by an admin. If the site is not on that list, it’s considered “untrusted” and the user is redirected to a safe and hardware-separated Edge session.
“In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser,” Microsoft’s Song explains.
The security feature is only available for systems with a 64-bit processor and 8GB of RAM, running specific versions of Windows 10 above the Home edition. Otherwise, the general parameters for availability are that the systems are running Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.
Admins would also need to enable Windows Defender Application Guard, change network settings and install a new Windows Defender Application Guard companion app from the Microsoft Store. Only after this should the admin install the Application Guard extension for Chrome or Firefox. After that each device needs to be restarted.