IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft tests experimental “Super Duper Secure Mode” for Edge browser

Developers will strip back buggy performance-boosting tech to make room for additional security features

Microsoft developers are testing a new 'Super Duper Security Mode' in its Chromium-based Edge web browser that trades optimised performance for better security.

Google Chrome, and Chromium-based browsers like Edge, are built on the open source V8 JavaScript engine, although it’s often targeted by hackers because bugs are routinely discovered and exploitation follows a straightforward template.

The issue lies in a technology known as ‘just-in-time complication’ (JIT), which was introduced in 2008 to speed up specific tasks in JavaScript.

JIT takes loosely-typed programming languages, such as JavaScript, and compiles these to machine code just prior to when it’s needed, which has resulted in impressive performance gains since its implementation.

However, these gains add complexity and come at a cost, according to Microsoft’s Edge vulnerability research lead, Jonathan Norman. Roughly 45% of flaws in V8 after 2019 related to the JIT engine, and we’ve already seen in 2021 a string of examples of hackers exploiting V8 bugs in Chrome and Chromium-based browsers.

In light of this, Edge's new mode disables JIT so developers can ascertain whether any measured dips in performance are manageable in order to improve security.

Developers believe that disabling JIT would eliminate just under half of the vulnerabilities that hackers can target, which also means fewer security updates and emergency patches. It also means developers have the capacity to add a few technologies to Edge that aren’t compatible with JIT.

Due to the way the technology works, Intel’s hardware-based exploit mitigation technology Controlflow-Enforcement Technology (CET), as well as Arbitrary Code Guard (ACG), aren’t compatible with V8. By disabling this performance-boosting technology, Norman said the team can now enable both security mitigations.

“Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers,” said Microsoft Edge vulnerability research lead, Jonathan Norman. “Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.

“This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome. Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it.”

While Super Duper Secure Mode isn’t being released generally, users of Edge Canary, Dev, and Beta can access it by entering “edge://flags/#edge-enable-super-duper-secure-mode” into their address bars and enabling the feature manually.

Related Resource

Five questions to ask before you upgrade to a modern SIEM

Do you need a better defense strategy?

White title against a dark blue background - whitepaper from IBMFree download

The move represents an intriguing step forward for the Chromium-based Edge, which was initially pitched as a viable competitor to Chrome when Microsoft launched the second generation of the browser in January last year.

The firm continued to aggressively promote the new Edge both through advertising and within Windows 10, with many new Windows users hamstrung into using the browser by default, for example. This was compounded with a string of new features aimed at mirroring the advancements in Chrome and targeting the mass market, like grouped tabs.

With Microsoft unable to compete with Chrome’s market dominance, however, the firm recently repositioned Edge as a business-centric browser, with a number of features designed around improving the remote working experience, and increasing productivity.

This latest experiment continues this trend of Microsoft seeking more niche use cases for Edge. It's likely that Super Duper Secure Mode will be pitched to those in need of highly robust internet security, such as businesses in highly regulated industries.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022