zlacker

>>jfreax+(OP)
I remember reading a discussion a couple of years back where somebody wondered why Microsoft did not go a similar route for Windows. The original context was backwards compatibility with applications written for older releases of Windows.

But given the general security situation on Windows, it would be really nice to have, for example, the browser strongly isolated from the rest of the system.

The idea of using virtualization to enforce stronger isolation between different parts of the system seem like a good one, and it does not appear to be that non-obvious (of course, in hindsight so many things do).

>>krylon+wj
Microsoft is doing all sorts of things for security. They added ways to remove privileges from apps, rolled out SDL reducing vulnerabilities tremendously, implemented Windows Integrity Controls with IE at lowest level, added EMET, added whitelisting, pushed managed code, started designing sandboxing schemes like Xax architecture, added a hypervisor (Hyper-V), did mathematical verification on it, and so on. I can easily say Microsoft is putting more work into security in their various layers than Linux/BSD, even OpenBSD in some ways.

Thing is, there's been third party solutions to handle virtualization-based security for Windows for anyone willing to buy them. People mostly don't. So, Microsoft rightly doesn't give a shit. It's why I tell people to use third-party enhancements if they rely on Windows or switch to Linux/BSD due to greater options for security not to mention what CompSci is cranking out for them.