Microsoft lifts the lid on new browser security improvements

Microsoft is slowly leaking details of the new operating system and browser that will arrive on users’ desktops later this year. Last week Windows 10 was in the spotlight. This week its the turn of the Edge browser.

In a blog posting Monday the development team said “we want to fundamentally improve security over existing browsers and enable users to confidently experience the web from Windows. We have designed Microsoft Edge to defend users from increasingly sophisticated and prevalent attacks.”

The blog is an expansion of some of the details outlined last week at the Microsoft Edge conference.  The methods include:
64-bit by default. 64-bit processes in general, and browser processes in particular, get significant security advantages by making Windows ASLR (Address Space Layout Randomization) stronger, says Microsoft.

ASLR makes it harder to inject malicious code in the browser process through a coding bug by randomizing the memory layout of the process, making it hard for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger, making it much more difficult for attackers to find the sensitive memory components they need.

(Here’s a video Microsoft released on the browser)

Two new defences against memory corruption: MemGC (Memory Garbage Collector) is a memory garbage collection system that seeks to defend the browser from UAF (Use-after-free) vulnerabilities by taking responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation has detected that there are no more references left pointing to a given block of memory.

Another is Control Flow Guard. In memory-corruption the attacker wants to gain control of the CPU program counter, and jump to a code location of the attacker’s choice. CFG (Control Flow Guard) is a Microsoft Visual Studio technology that compiles checks around code that does indirect jumps based on a pointer, restricting these jumps to only jump to function entry points that have had their address taken. This makes attacker take-over of a program much more difficult by severely constraining where a memory corruption attack can jump to, Microsoft says.

Defences against hacking: First, Microsoft [Nasdaq: MSFT] says it has rewritten the rendering engine for Edge to include a major overhaul of the DOM representation in the browser’s memory, making the code more resistant to “burglar” attacks that attempt to subvert the browser.

Second, there is no support for dangerous extensions that hackers have been taking advantage of, including VML, VB Script, Toolbars, BHOs, or ActiveX.  Instead Microsoft is developing a new HTML/JS-based extension model. That will be a concern to developers of applications with those controls, but Microsoft says it will soon offer migration guidance.

The largest change in Edge security, Microsoft says,  is that the new browser is a Universal Windows app. “This fundamentally changes the process model, so that both the outer manager process, and the assorted content processes, all live within app container sandboxes.”

There have been sandboxes — called protected mode — since IE7. Edge runs its content processes in app containers, not just as a default, but all the time.

How long will it take for attackers to subvert these changes? They always find a way, although it is my suspicion that stealing credentials will at least for the short term be the preferred strategy. Still, any improvement in the security chain is welcome.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now