Microsoft Edge devs reveal Super-Duper Secure Mode

by Mark Tyson on 6 August 2021, 13:11

Tags: Microsoft (NASDAQ:MSFT)

Quick Link: HEXUS.net/qaeqxq

Add to My Vault: x

The Microsoft Browser Vulnerability Research team is experimenting with a new mode that significantly reduces the attack surface a modern web browser such as Microsoft Edge presents to the hacker world. Thus, "Super Duper Secure Mode" (SDSM) is now available for Edge preview testers -- in the Canary, Dev and Beta rings to try out. In brief, SDSM does its magic by disabling JIT Javascript acceleration, and a sprinkling of other "new security mitigations" to significantly fortify Microsoft's signature browser.

Microsoft's researchers have fathomed that modern JIT techniques (designed to speed up JavaScript engines from the likes of Google, Mozilla, Microsoft, and others), are a major source of CVEs (Common Vulnerabilities and Exposures). According to their investigations, 45 per cent of browser CVEs are related to JIT Java.

So, you can disable JIT to get a more secure browser, but what about the impact on performance? Microsoft noticed that the only major speedbump for its JIT disabled browser was in benchmarks like Speedometer 2.0. In reviewing anecdotal experiences, Microsoft found that "users with JIT disabled rarely notice a difference in their daily browsing." Perhaps more importantly, in various tests of browser performance like memory use, page load and startup times, and power usage the picture was mostly positive. The worst stats seem to be with the potential of a ~17 per cent slowdown in complex page load times. However, depending on the content, page loads might be nearly 10 per cent faster.

Admittedly the balance of positives and negatives is quite complex, so Microsoft is testing this now, as are Insiders in the aforementioned programs. There are some further side-benefits to disabling Java JIT. The devs reveal that mitigation technologies such as Controlflow-Enforcement Technology (CET) from Intel, and Arbitrary Code Guard (ACG) couldn't play nicely with JIT enabled – but without it, they can be toggled on to "make exploitation of security bugs in any renderer process component more difficult".

SDSM is definitely still at an experimental stage, but shows encouraging signs. Microsoft is typically rather proud of the speed and responsiveness of Edge, so it will probably try and offer the best of both worlds with this new SDSM implemented, alongside optimizations to reduce/eliminate any JIT disabling impacts. Remember that security seems to be a renewed focus of the company with its Windows 11 minimum requirements.



HEXUS Forums :: 11 Comments

Login with Forum Account

Don't have an account? Register today!
Microsoft is typically rather proud of the speed and responsiveness of Edge
Yep, Google did a good job :D
Does Super-Duper Secure mode just mean cutting the power to the PC, that's the most secure way..
So it's catching up with Firefox + NoScript?
Wrinkly
So it's catching up with Firefox + NoScript?

Sounds like NoScript and maybe HTTPS everywhere or something. But because they're aiming at non technical users, the JS restrictions can't cause problems like NoScript can do, so they can only limit JIT.

It's not a bad approach and covers the biggest problems, but every time they do stuff like this, it just means people will concentrate on a different attack vector as Edge is so unrelentingly mediocr…. I mean popular.
One of the worst browsers EVER! I'd sooner use IE than edge.