Microsoft tests experimental “Super Duper Secure Mode” for Edge browser
Developers will strip back buggy performance-boosting tech to make room for additional security features
Microsoft developers are testing a new 'Super Duper Security Mode' in its Chromium-based Edge web browser that trades optimised performance for better security.
Google Chrome, and Chromium-based browsers like Edge, are built on the open source V8 JavaScript engine, although it’s often targeted by hackers because bugs are routinely discovered and exploitation follows a straightforward template.
The issue lies in a technology known as ‘just-in-time complication’ (JIT), which was introduced in 2008 to speed up specific tasks in JavaScript.
JIT takes loosely-typed programming languages, such as JavaScript, and compiles these to machine code just prior to when it’s needed, which has resulted in impressive performance gains since its implementation.
However, these gains add complexity and come at a cost, according to Microsoft’s Edge vulnerability research lead, Jonathan Norman. Roughly 45% of flaws in V8 after 2019 related to the JIT engine, and we’ve already seen in 2021 a string of examples of hackers exploiting V8 bugs in Chrome and Chromium-based browsers.
In light of this, Edge's new mode disables JIT so developers can ascertain whether any measured dips in performance are manageable in order to improve security.
Developers believe that disabling JIT would eliminate just under half of the vulnerabilities that hackers can target, which also means fewer security updates and emergency patches. It also means developers have the capacity to add a few technologies to Edge that aren’t compatible with JIT.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Due to the way the technology works, Intel’s hardware-based exploit mitigation technology Controlflow-Enforcement Technology (CET), as well as Arbitrary Code Guard (ACG), aren’t compatible with V8. By disabling this performance-boosting technology, Norman said the team can now enable both security mitigations.
“Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers,” said Microsoft Edge vulnerability research lead, Jonathan Norman. “Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.
“This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome. Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it.”
While Super Duper Secure Mode isn’t being released generally, users of Edge Canary, Dev, and Beta can access it by entering “edge://flags/#edge-enable-super-duper-secure-mode” into their address bars and enabling the feature manually.
Five questions to ask before you upgrade to a modern SIEM
Do you need a better defense strategy?
The move represents an intriguing step forward for the Chromium-based Edge, which was initially pitched as a viable competitor to Chrome when Microsoft launched the second generation of the browser in January last year.
The firm continued to aggressively promote the new Edge both through advertising and within Windows 10, with many new Windows users hamstrung into using the browser by default, for example. This was compounded with a string of new features aimed at mirroring the advancements in Chrome and targeting the mass market, like grouped tabs.
With Microsoft unable to compete with Chrome’s market dominance, however, the firm recently repositioned Edge as a business-centric browser, with a number of features designed around improving the remote working experience, and increasing productivity.
This latest experiment continues this trend of Microsoft seeking more niche use cases for Edge. It's likely that Super Duper Secure Mode will be pitched to those in need of highly robust internet security, such as businesses in highly regulated industries.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.