Microsoft connects rival browsers to Windows 10's Application Guard
Credit to Author: Gregg Keizer| Date: Tue, 26 Mar 2019 03:00:00 -0700
Microsoft earlier this month released a pair of add-ons for Google’s Chrome and Mozilla’s Firefox to cobble together an unwieldy connection between those browsers, Edge and Windows 10’s advanced security technology, Windows Defender Application Guard (WDAG).
The debut of the browser extensions – separate add-ons for Chrome and Firefox – was quietly plugged at the end of a March 15 blog post relating a recent Windows Insider build. That build, 18358, will lead, presumably next month, to Windows 10’s next feature upgrade, labeled 1903 and also Windows 10 April 2019 Update.
It’s unclear whether the extensions – or the Windows Store companion app users must also install – are dependent on 1903 and later; they’re currently available to PCs running older SKUs (stock-keeping units) of Windows 10.
According to Microsoft, the combination of companion app and browser add-on for Chrome or Firefox “automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge.”
Microsoft hasn’t brought Chrome and Firefox under the Windows Defender Application Guard (WDAG) roof or woven the technology into the browser rivals of Edge.
But users should be excused for thinking that’s what the Redmond, Wash. company did: More than a few news stories and blog posts breezed over the fact that WDAG will remain Edge-only. Even Microsoft’s account of the necessary Windows 10 app was vague enough to be mistaken as a porting of WDAG to Chrome and Firefox. “This companion app enables browsers other than Microsoft Edge to work with Windows Defender Application Guard,” the app’s Store description read.
In point of fact, Chrome or Firefox simply pass along an untrusted site to Edge, which then opens it in a virtualized container, just as if Edge had been steered to the site directly while protected by WDAG.
“When users navigate to a site, the extension checks the URL against a list of trusted sites defined by enterprise administrators,” wrote Microsoft employees Dona Sarkar and Brandon LeBlanc in the blog post. “If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session.”
Meanwhile, the Windows Store app handles “the communication between the browser [Chrome, Firefox] and the device’s Application Guard settings,” Sarkar and LeBlanc explained.
Rather than grant Chrome and Firefox the power to use WDAG – something that may, in fact, be extremely difficult or even impossible – Microsoft is simply shunting a URL entered in one browser to another browser, where it’s opened.
In that way, it’s reminiscent of a Windows 10 feature available since the operating system’s mid-2015 debut: Enterprise Mode. That feature was meant to ease the transition to Windows 10 by letting IT administrators set sites that would be opened, not in 10’s default Edge but in Internet Explorer 11 (IE11), the legacy browser retained for support of technologies – notably ActiveX – and document modes Edge dumped. In Enterprise Mode, sites and apps fingered as IE11-only opened in that browser; all others appeared in Edge.
Sarkar and LeBlanc said the move was prompted “to extend our container technology to other browsers and provide customers with a comprehensive solution to isolate potential browser-based attacks.”
As is typical, there’s almost certainly more to Microsoft’s rationale than that customer-first partnership with rivals.
First of all, adopting the two competitors, especially Chrome with its 67% user share, was yet another acknowledgement by Microsoft that its own Edge has been a flop. Much like the Redmond, Wash. company’s decision late last year to abandon its own browser technology for Chromium, the open-source foundation of Chrome, this move was an admission of Edge’s anemic growth; only about 12% of Windows 10 users ran Edge in February, according to Net Applications.
If users wouldn’t come to Edge and WDAG, Microsoft would bring the browser and defensive technology to Windows 10 users by co-opting Chrome and Firefox.
But why bother? Because WDAG is one of the defining enterprise security technologies of Windows 10, and if few are using it – because few run Edge – Microsoft needs to go where the users are to insure customers work with WDAG enough to value it.
The big question underlying the add-on offer is what Microsoft will do with WDAG when it takes Edge “full-Chromium” by using the same rendering and JavaScript engines as Chrome.
It’s not known if Microsoft can replicate WDAG on a non-EdgeHTML browser (EdgeHTML is the name of Edge’s original, Microsoft-made rendering engine). The two, WDAG and Edge, may be too intertwined to transport the former to, say, Chrome or a Chromium-based browser. The add-on approach, a sub-optimal process that results in two browsers and two browsers’ user interfaces – with users being to-and-froed between them – would seem to be a tacit confession that WDAG can’t be made native to Chrome.
If that’s that case, then this may be how WDAG survives the Chromium-ization of Edge. When Edge is full-Chromium, the same extension just issued for Chrome will also work on that Edge. WDAG would be called up when necessary by the same mechanism, where an instance of Edge – the original EdgeHTML Edge – runs the untrusted site in isolation.
That, of course, would require Windows 10 to retain the underlying technology of “original Edge,” just as it has retained IE11. In turn, that would require Microsoft to patch three browsers inside Windows 10: IE11 for as long as it’s supported, original Edge and full-Chromium Edge.