Client software, such as Windows .exe files, poses security risks but also adds important functionality that cannot yet be replicated with web applications. These risks can be mitigated by running client software inside a sandbox. Virtual machines offer an easily deployed mechanism to create such a sandbox.
This motivates two key questions: Are today’s virtual machine mechanisms sufficient to prevent harm from malicious software? Even if they are sufficient, does it matter – is it the case that everyone has moved on to web applications? We address these questions by carrying out a survey of three populations of computer users: two within Microsoft and one drawn from U.S. users of the Amazon Mechanical Turk service.
We note three key findings: First, all three populations download and run client software regularly: Over 70% of respondents in all three popluations download and runs client software monthly or more often. Second, use of virtual machines for sandboxing is rare and inconsistently applied: 68% of respondents in all three populations say they use virtual machines “occasionally” or less often. Third, of those who gave a reason for not using VMs, 44% say it is “too hard.” We conclude that today’s users are exposed to risk from client software and that today’s sandboxing mechanisms are inadequate to protect them.