Security Experts:

Microsoft Details Security Features in New Edge Web Browser

With the release of the Edge web browser, Microsoft says it wants to fundamentally improve security in an effort to ensure that users are protected against sophisticated threats.

First of all, Microsoft says Edge is designed to provide protection against “trickery,” such as phishing attacks in which malicious actors attempt to convince users to enter sensitive information on a bogus website that looks very similar to a legitimate site.

Currently, users can identify legitimate websites by looking for the HTTPS lock symbol and the Extended Validation (EV) green address bar displayed by the browser. However, Microsoft says these features have had only limited success, which is why the company wants to remove the need for users to enter clear text passwords into a website.

The Microsoft Passport technology in Windows 10 provides asymmetric cryptography for authenticating into websites. The latest version of the operating system also gives users a more convenient way to access their devices and their Microsoft Passport, the company said in a blog post.

Microsoft Edge and the Windows 10 Shell also support SmartScreen, a feature introduced in Internet Explorer 8. SmartScreen is designed to perform a reputation check on the websites visited by the user and block potentially dangerous sites. SmartScreen is also designed to warn users when they are about to install malicious software.

An increasing number of websites use fraudulent certificates in an effort to appear legitimate. Microsoft has extended its Certificate Reputation solution so that developers can quickly report fraudulent certificates to Microsoft through Bing Webmaster Tools.

Microsoft EdgeHTML, the new rendering engine in Edge, also enhances security, Microsoft said. That’s because it uses new security features found in the W3C and IETF standards, and it simplifies the process of building a modern website, allowing developers to focus on security and reliability.

While many attacks rely on deception, malicious actors often target users by exploiting vulnerabilities in the web browser. In order to prevent such attacks, Microsoft Edge incorporates several mitigations.

Since HTML5 provides rich capabilities, Microsoft has decided to remove support for various legacy technologies and features in the Edge web browser. The list includes ActiveX, Browser Helper Objects (BHO), document modes, the Vector Markup Language (VML), the currentStyle property, and DirectX filters and transitions. Microsoft says it’s working on a HTML/JS-based extension model to enable extensibility beyond what HTML5 provides.

App container sandboxes can be highly useful for protection against malicious websites designed to exploit vulnerabilities in the web browser and its plugins. With the introduction of Microsoft Edge, all the web pages visited by users will be rendered inside an app container by default.

The Protected Mode feature introduced with IE 7 and the Enhanced Protected Mode introduced with IE 10 offer similar protection. However, Protected Mode offers only a limited degree of protection and Enhanced Protected Mode is not on by default in the desktop versions of IE 10 and IE 11.

Microsoft has also noted that Edge is 64-bit by default all the time when running on a 64-bit processor. 64-bit browser processes are more secure because the Windows ASLR (Address Space Layout Randomization) protection is stronger, Microsoft said.

“Attackers want to inject malicious code into your browser process via a coding bug, and then execute their malicious code. ASLR makes that harder by randomizing the memory layout of the process, making it hard for attackers to hit precise memory locations to achieve their ends,” explained Crispin Cowan, Senior Program Manager at Microsoft Edge. “In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger, making it much more difficult for attackers to find the sensitive memory components they need.

In addition to ASLR, Microsoft also introduced mitigations such as Structured Exception Handling Overwrite Protection (SEHOP) and Data Execution Prevention (DEP) to protect users against attacks leveraging memory corruption vulnerabilities. Recently introduced protections, such as the MemGC (Memory Garbage Collector) and CFG (Control Flow Guard), have also been included in Microsoft Edge and they are on by default.

Microsoft says it’s aware that Edge might be plagued by some vulnerabilities that its developers have missed. That is why the company recently announced the launch of a bug bounty program for Microsoft Edge (Spartan). Microsoft is prepared to offer up to $15,000 for serious vulnerabilities found in the web browser until June 22, 2015.

“Microsoft Edge is a brand new browser, with new goals and requirements. This has allowed us to include these security enhancements, both brand new security features, and moving older opt-in features to be always-on,” said Cowan. “For this reason, we believe Microsoft Edge will be the most secure web browser that Microsoft has ever shipped. As security is a process, not a destination, we will continue to work on browser security improvements.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.