> WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
It’s also not an install most users are hunting down, it’s pretty much automagic. It mostly supports your point though, as this is why auto update exists.
But that's an enormous "if" that the vast vast vast majority of that big scary number getting patched don't actually have to deal with. The point isn't getting compromised is a minor inconvenience it's that what the VM protects against is such a rare major inconvenience it's multitudes of times more inconvenient over time to constantly deal with the smaller inconvenience of running browsing through a VM instead.
YOLO works until it doesn't. It's usually self-correcting. In business, it may be corrected by involuntary regulation.
Browser VMs are not the only option. Regular OS wipe/install is another, e.g. rotate between two dedicated browsing devices with native performance. One indicator of a compromised device is a reduction in perceived performance.
HP SureClick or MS AppGuard Edge is another level of complexity: every network connection and browser tab is a separate stateless micro-VM whose output is dynamically composited into a single display, with optional analytics of traffic and malware within each isolated micro-VM.
As for "I'm not important enough to be a target", some humans are on education or career paths to change that calculation. Some adversaries may see value in early access to up-and-coming targets. As the cost of targeting falls, the bar for "important enough" also falls.
You can't just say it could be bad one day therefore everyone should do <x> now - that's just fear mongering not supportive reasoning. For instance it could be everyone falls victim to a hypervisor security bug so nobody should trust VM browsing. It could be everyone falls victim to a firmware big so nobody should trust reusing a device. At some point you have to accept that having the possibility of a bad scenario isn't enough on its own, it needs to be actually weighed and compared.
Sure, there are e.g. certain high security businesses or certain high risk individuals that should consider higher security options (or in some cases regulation therefore). That it's certain conditions is precisely why it isn't for the vast majority though, if it were you wouldn't need to specify corner cases.
Security is about judging how to stay as far up the curve as you can without it costing you more than you'd realistically lose to do so. It is not about closing every conceivable hole in your attack surface to achieve minimal risk.
I'd also add there is a counter to the always increasing cost/reward ratio of targeting: the always decreasing amount of complexity of implementing the security mitigations for the "next level" of security. In a decade browsing via VM may be commonplace for the average user (though probably more persistently for that use case) and not require a thought to use. That doesn't make it any different for today but it points out there is more than "threats have increased" that can change what's a reasonable place to be on the security curve.
> You can't just say it could be bad one day therefore everyone should do <x> now
Who said "everyone" or "one day"? It's bad today, especially for those who assume they are not affected, even though they have never done forensics to test that assumption.
An example: most software incorporates other software as dependencies. As a developer, if a downstream consumer of your software is regulated, your software business could be regulated as a dependency. This also applies to open-source projects. If your software becomes regulated, then the dev/build environment for that software may be regulated. The details are being worked out now, this is not some distant future. https://fossa.com/blog/cybersecurity-executive-order-softwar...
The time will come when more endpoint devices will not be able to connect to sensitive services, because of missing security properties of the endpoint. The definition of sensitive services could be regulated, e.g. CI/CD system. As a software developer, that could mean your dev workstation (including browser configuration) cannot be used to change/publish code without clearing a security bar. https://docs.microsoft.com/en-us/security/compass/privileged...
> there is more than "threats have increased" that can change what's a reasonable place to be on the security curve.
Yes, there is also "damages have increased", so more stakeholders have an interest in consensus definitions and enforcement of reasonable, in specific contexts.
We're a couple layers deep now but the question that started the chain was:
> I’m curious why this isn’t a more popular setup?
If we're no longer talking about that but saying general security implementations and requirements will be tighter at some point in the future then sure, full agree. If we're talking about VM based browsing and why people aren't using it today then I'm not sure how any of this applies outside a tiny fraction of a percentage of machines browsed from.
Downloads are a primary usage in the browse for me, and copy/paste is too.
Do you not find that this and the ‘control v’ versus ‘command v’ thing drives you mad?
How do these (relatively minor) things get solved? Key remapping might do the latter.