How secure is "Browser in the Box"?
From their product page, we can infer a lot about how their system works. Here are the key points:
- Can be used with Windows XP and Windows 7
- Comes with: VirtualBox 4.0.16, hardened Linux Debian 6 and SELinux and Firefox
- Browser execution takes place in separated virtual machine with own operating system
- Downloaded files are first scanned and then provided to user Configurable security polic for copy & paste, download, upload and printing
- Reset to certified initial snapshot upon each start of the browser
- Configuration data of the browser can be stored persistently and are retained for restart
So apparently it runs Firefox on Debian 6 Linux with SELinux inside a virtual machine running inside VirtualBox, on a host that must be Windows.
As for how secure that is, for the most part, it's the same as running a browser inside a Linux VM in VirtualBox with a snapshot you roll back every time you want to reset. Except that they are actually using a very outdated version of VirtualBox from 2012, which is probably a bad idea for lack of security updates. I get the feeling development on this product is abandoned.
While a virtual machine does add security, virtual machine breakouts do exist, and VirtualBox has be on the receiving end of such exploits before.