Microsoft tests experimental “Super Duper Secure Mode” for Edge browser

Developers will strip back buggy performance-boosting tech to make room for additional security features

Microsoft Edge browser logo displayed on a laptop

Microsoft developers are testing a new 'Super Duper Security Mode' in its Chromium-based Edge web browser that trades optimised performance for better security.

Google Chrome, and Chromium-based browsers like Edge, are built on the open source V8 JavaScript engine, although it’s often targeted by hackers because bugs are routinely discovered and exploitation follows a straightforward template.

The issue lies in a technology known as ‘just-in-time complication’ (JIT), which was introduced in 2008 to speed up specific tasks in JavaScript.

JIT takes loosely-typed programming languages, such as JavaScript, and compiles these to machine code just prior to when it’s needed, which has resulted in impressive performance gains since its implementation.

However, these gains add complexity and come at a cost, according to Microsoft’s Edge vulnerability research lead, Jonathan Norman. Roughly 45% of flaws in V8 after 2019 related to the JIT engine, and we’ve already seen in 2021 a string of examples of hackers exploiting V8 bugs in Chrome and Chromium-based browsers.

In light of this, Edge's new mode disables JIT so developers can ascertain whether any measured dips in performance are manageable in order to improve security.

Developers believe that disabling JIT would eliminate just under half of the vulnerabilities that hackers can target, which also means fewer security updates and emergency patches. It also means developers have the capacity to add a few technologies to Edge that aren’t compatible with JIT.

Due to the way the technology works, Intel’s hardware-based exploit mitigation technology Controlflow-Enforcement Technology (CET), as well as Arbitrary Code Guard (ACG), aren’t compatible with V8. By disabling this performance-boosting technology, Norman said the team can now enable both security mitigations.

“Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers,” said Microsoft Edge vulnerability research lead, Jonathan Norman. “Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.

“This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome. Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it.”

While Super Duper Secure Mode isn’t being released generally, users of Edge Canary, Dev, and Beta can access it by entering “edge://flags/#edge-enable-super-duper-secure-mode” into their address bars and enabling the feature manually.

Related Resource

Five questions to ask before you upgrade to a modern SIEM

Do you need a better defense strategy?

White title against a dark blue background - whitepaper from IBMFree download

The move represents an intriguing step forward for the Chromium-based Edge, which was initially pitched as a viable competitor to Chrome when Microsoft launched the second generation of the browser in January last year.

The firm continued to aggressively promote the new Edge both through advertising and within Windows 10, with many new Windows users hamstrung into using the browser by default, for example. This was compounded with a string of new features aimed at mirroring the advancements in Chrome and targeting the mass market, like grouped tabs.

With Microsoft unable to compete with Chrome’s market dominance, however, the firm recently repositioned Edge as a business-centric browser, with a number of features designed around improving the remote working experience, and increasing productivity.

This latest experiment continues this trend of Microsoft seeking more niche use cases for Edge. It's likely that Super Duper Secure Mode will be pitched to those in need of highly robust internet security, such as businesses in highly regulated industries.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

25 Jun 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021