Microsoft appears to be working on a new technology that will isolate untrusted software by placing it into a virtual machine.
Windows-watchers have spotted the new feature, called “InPrivate Desktop”, in discussions about Windows 10 previews. Since-deleted Microsoft documents said it “provides admins a way to launch a throwaway sandbox for secure, one-time execution of untrusted software."
“This is basically an in-box, speedy VM (virtual machine) that is recycled when you close the app!"
If accurate, the document signals that Microsoft is adopting a new approach to endpoint security that’s recently become popular in the data centre.
It looks like Microsoft’s plan is to leverage the desktop version of its Hyper-V hypervisor, which is present in most versions of Windows 10 but requires knowledge of some deep settings to enable. Hyper-V on the desktop is mostly used by developers who need VMs running operating systems other than Windows 10.
InPrivate Desktop appears to create a guest Windows 10 VM without an end-user needing to know that Hyper-V even exists, never mind how to drive it. The new feature does so in order to isolate the software in its own instance of Windows 10 before it can alter the host PC, which is what most malware tries to do.
Others like this approach too: VMware and Citrix both have data centre products that inspect VMs to ensure they’re behaving as expected. If they’re not, the VM is isolated from the host. Security vendor Carbon Black isolates whole endpoints to stop one infected machine delivering a dodgy payload to others.
Details are scarce at this stage but if Microsoft uses this technology to automatically isolate any executable that’s not trusted or expected on a PC, it will improve Windows 10’s security by just making it harder for unexpected software to get a toehold in a PC. It could also be a handy adjunct to Windows 10 S, the new mode for Windows 10 that only allows users to run software from the Microsoft store.
There’s a risk that hardening Windows 10 in this way could irritate endpoint security vendors by allowing Microsoft to make a case that businesses can contemplate a little less on-PC-protection.
Accepting that argument would not be wise: malware-makers long ago mastered the trick of detecting if their wares are running in a VM so that they can prevent white hat hackers from watching it try to escape isolation.
One more thing: in mid-2017 Microsoft established bug bounties for Hyper-V. And fair enough too given that Azure uses it for countless cloudy VMs. But perhaps Microsoft was also making sure the hypervisor was ready to take on a new role on the desktop.