Microsoft’s Chrome Security Extension Diverts Windows 10 Users To Microsoft Edge Instead
Getty
Microsoft has released a security extension for Google Chrome that isolates untrusted websites away from the underlying Windows 10 operating system. How the flaming heck does it achieve that, do I hear you cry? By diverting the user away from Chrome and into a Microsoft Edge browser session instead of course…
Available only to users of the latest versions of Windows 10 Professional, Windows 10 Enterprise and Windows 10 Education, the extension works as part of the hardware-based isolation that Microsoft's Defender Advanced Threat Protection (ATP) brings to the security party. To be more precise it brings the virtualized sandboxing protection of Windows Defender Application Guard out of the Microsoft Edge realm that it was previously restricted to. Well, sort of.
The Windows Defender Application Guard was first seen in Windows 10 last year and this announcement from the Windows platform security team promises the same attack surface reduction technology to a wider Windows 10 userbase who prefer to do their browsing in Chrome, or Mozilla Firefox as there's also an extension for that browser. Those users will probably be disappointed to learn that this new security function will quickly move them away from their browser of choice and dump them straight back into Microsoft's own browser. It only does this when detecting an untrusted website, which is any URL that has not previously been whitelisted by the system administrators.
The extension uses a native application from Microsoft to support communication between the browser and the device's Application Guard settings. As long as the enterprise administrator has defined the network isolation settings so that a set of trusted external websites and internal resources exists, and the new Windows Defender Application Guard companion application has been installed, the user will be redirected to the Microsoft Edge session if they try to visit any untrusted resource.
From this Hyper-V-enabled container, which runs inside a virtual machine and so provides full isolation from the underlying Windows operating system and network, all untrusted sites are navigable. Extra functionality to automatically switch users who enter a trusted resource URL while within this isolated environment back to Chrome is "upcoming" according to Rona Song from the Windows platform security team who made the announcement. "While modern browsers are continuously working to mitigate vulnerabilities," Song said, "there are still exposures across these complex engines that can lead to irreversible and costly damages."
Song also said that users navigating to sites not explicitly defined as enterprise-trusted can do so "without any risk to the rest of system." While this might be technically correct as the rest of the system is isolated from the browsing session, I am always wary of seeing the "no risk" bomb being dropped. Not least as there could still be a risk to the business, and a risk to the user, if they land at a website designed to fool them into entering their login credentials. So yes, it will prevent malware from coming into contact with the network or operating system and that's a really good thing. After each browsing session the container it was operating in is effectively destroyed, which means any malicious code that may have been downloaded is destroyed along with it.
However, this type of defensive technology cannot shield the user from the social engineering threat. Defense in depth must always be the mantra for any organization looking to have as solid a security posture as possible and neither this new extension nor the Windows Defender Application Guard itself change that.
">
Microsoft has released a security extension for Google Chrome that isolates untrusted websites away from the underlying Windows 10 operating system. How the flaming heck does it achieve that, do I hear you cry? By diverting the user away from Chrome and into a Microsoft Edge browser session instead of course…
Available only to users of the latest versions of Windows 10 Professional, Windows 10 Enterprise and Windows 10 Education, the extension works as part of the hardware-based isolation that Microsoft's Defender Advanced Threat Protection (ATP) brings to the security party. To be more precise it brings the virtualized sandboxing protection of Windows Defender Application Guard out of the Microsoft Edge realm that it was previously restricted to. Well, sort of.
The Windows Defender Application Guard was first seen in Windows 10 last year and this announcement from the Windows platform security team promises the same attack surface reduction technology to a wider Windows 10 userbase who prefer to do their browsing in Chrome, or Mozilla Firefox as there's also an extension for that browser. Those users will probably be disappointed to learn that this new security function will quickly move them away from their browser of choice and dump them straight back into Microsoft's own browser. It only does this when detecting an untrusted website, which is any URL that has not previously been whitelisted by the system administrators.
The extension uses a native application from Microsoft to support communication between the browser and the device's Application Guard settings. As long as the enterprise administrator has defined the network isolation settings so that a set of trusted external websites and internal resources exists, and the new Windows Defender Application Guard companion application has been installed, the user will be redirected to the Microsoft Edge session if they try to visit any untrusted resource.
From this Hyper-V-enabled container, which runs inside a virtual machine and so provides full isolation from the underlying Windows operating system and network, all untrusted sites are navigable. Extra functionality to automatically switch users who enter a trusted resource URL while within this isolated environment back to Chrome is "upcoming" according to Rona Song from the Windows platform security team who made the announcement. "While modern browsers are continuously working to mitigate vulnerabilities," Song said, "there are still exposures across these complex engines that can lead to irreversible and costly damages."
Song also said that users navigating to sites not explicitly defined as enterprise-trusted can do so "without any risk to the rest of system." While this might be technically correct as the rest of the system is isolated from the browsing session, I am always wary of seeing the "no risk" bomb being dropped. Not least as there could still be a risk to the business, and a risk to the user, if they land at a website designed to fool them into entering their login credentials. So yes, it will prevent malware from coming into contact with the network or operating system and that's a really good thing. After each browsing session the container it was operating in is effectively destroyed, which means any malicious code that may have been downloaded is destroyed along with it.
However, this type of defensive technology cannot shield the user from the social engineering threat. Defense in depth must always be the mantra for any organization looking to have as solid a security posture as possible and neither this new extension nor the Windows Defender Application Guard itself change that.
Gloss