Microsoft tests experimental “Super Duper Secure Mode” for Edge browser
Developers will strip back buggy performance-boosting tech to make room for additional security features
Microsoft developers are testing a new 'Super Duper Security Mode' in its Chromium-based Edge web browser that trades optimised performance for better security.
However, these gains add complexity and come at a cost, according to Microsoft’s Edge vulnerability research lead, Jonathan Norman. Roughly 45% of flaws in V8 after 2019 related to the JIT engine, and we’ve already seen in 2021 a string of examples of hackers exploiting V8 bugs in Chrome and Chromium-based browsers.
In light of this, Edge's new mode disables JIT so developers can ascertain whether any measured dips in performance are manageable in order to improve security.
Developers believe that disabling JIT would eliminate just under half of the vulnerabilities that hackers can target, which also means fewer security updates and emergency patches. It also means developers have the capacity to add a few technologies to Edge that aren’t compatible with JIT.
Due to the way the technology works, Intel’s hardware-based exploit mitigation technology Controlflow-Enforcement Technology (CET), as well as Arbitrary Code Guard (ACG), aren’t compatible with V8. By disabling this performance-boosting technology, Norman said the team can now enable both security mitigations.
“Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers,” said Microsoft Edge vulnerability research lead, Jonathan Norman. “Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.
“This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome. Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it.”
While Super Duper Secure Mode isn’t being released generally, users of Edge Canary, Dev, and Beta can access it by entering “edge://flags/#edge-enable-super-duper-secure-mode” into their address bars and enabling the feature manually.
Five questions to ask before you upgrade to a modern SIEM
Do you need a better defense strategy?Free download
The move represents an intriguing step forward for the Chromium-based Edge, which was initially pitched as a viable competitor to Chrome when Microsoft launched the second generation of the browser in January last year.
The firm continued to aggressively promote the new Edge both through advertising and within Windows 10, with many new Windows users hamstrung into using the browser by default, for example. This was compounded with a string of new features aimed at mirroring the advancements in Chrome and targeting the mass market, like grouped tabs.
With Microsoft unable to compete with Chrome’s market dominance, however, the firm recently repositioned Edge as a business-centric browser, with a number of features designed around improving the remote working experience, and increasing productivity.
This latest experiment continues this trend of Microsoft seeking more niche use cases for Edge. It's likely that Super Duper Secure Mode will be pitched to those in need of highly robust internet security, such as businesses in highly regulated industries.
How virtual desktop infrastructure enables digital transformation
Challenges and benefits of VDIFree download
The Okta digital trust index
Exploring the human edge of trustFree download
Optimising workload placement in your hybrid cloud
Deliver increased IT agility with the cloudFree Download
Modernise endpoint protection and leave your legacy challenges behind
The risk of keeping your legacy endpoint security toolsDownload now