Microsoft bolsters Edge browser security with improved features
The latest protections unveiled
Microsoft has added new security features to its Edge browser, building on the “Super Duper Secure Mode” that was unveiled late last year.
A new experimental security feature, this mode is designed to minimize the risk of browser attacks by disabling the Just-In-Time (JIT) component in the V8 engine – a feature that greatly improves speed and usability, but which has been associated with numerous Security vulnerabilities.
RELATED Microsoft unveils ‘Super Duper Secure Mode’ in latest version of Edge
Since the launch of Super Duper Secure Mode, says Johnathan Norman, Microsoft Edge Vulnerability Research Manager, most users who have enabled the feature report not noticing any issues or reporting performance compromises.
“84% of users who enabled the feature never disabled it. This was surprising since we don’t have WASM [WebAssembly] still works. An even bigger surprise is that performance/speed wasn’t a common complaint. In fact, it was least often cited as a problem,” he said. said in a tweet.
“Most users have complained about the lack of WASM support. Of the users who disabled the feature, 42% clicked “other” and described issues with WASM, 29% explicitly called out website compatibility.[ability] and 15% of selected pages load slowly. In most cases, the lack of JIT was not an issue. »
Microsoft has added new security protections to Edge, including Control-flow Enforcement (CET) and Arbitrary Code Guard (ACG) technology, which prevent dynamic code generation in rendering processes and implement a separate shadow stack to protect return addresses.
“Additionally, we are excited that Microsoft Edge now supports both forward and backward control flow protection. By applying these protections, we can provide defense in depth that extends beyond JIT attacks,” Norman said.
Microsoft is also experimenting with providing unique, user-tailored bypass lists based on Chromium Project user site engagement scores.
The browser maker is also building a new WASM interpreter named DrumBrake. Currently, a compiler is used to convert WASM code into machine instructions and requires writeable and executable pages in memory.
However, memory allocated to WASM is often used by attackers to run their own code in exploits – and while enabling ACG prevents this, it also breaks WASM.
DrumBrake’s goal is to provide a secure WASM environment that unlocks the most common WASM use cases without requiring JIT.
Learn about the latest browser security news
There will be trade-offs, says Norman: “For example, DrumBrake requires less memory, which is a nice plus, but we expect compute-intensive applications won’t perform as well.”
Last September, Microsoft Edge moved to a four-week major release cycle cadence, while adding an eight-week Extended Stable option for enterprise customers.
The changes were bundled into Edge’s 98 release, which began landing on users’ desktops earlier this month.
The latest version also includes a new mode that prioritizes browser security. This allows administrators to apply group policies to Windows, macOS, and Linux end-user workstations to help protect against exploits.
DO NOT MISS Microsoft moves forward with controversial ‘buy now, pay later’ feature for Edge browser