Has Microsoft got the Edge on browser security?

Microsoft's next web browser will have a number of new protections and exploit mitigations, but experts are divided over claims being made by the software giant about security.

The new browser, known as 'Edge', is scheduled to be released with Windows 10 later this year.

Writing on the Kaspersky Lab blog, Threatpost.com, Dennis Fisher said that Edge will represent a big improvement in cyber-security, not least because it will no longer support the most dangerous and commonly abused extensions, ActiveX and VB Script.

“Most of the changes that Microsoft is making with Edge are behind the scenes and won't be visible to users. That includes the new exploit mitigations and some improvements to the sandbox, which was introduced in Internet Explorer 7 several years ago,” he said.

Edge will include two features to protect against memory corruption attacks, MemGC and Control Flow Guard, but the largest change in Microsoft Edge security is that the new browser is a Universal Windows app, according to Crispin Cowan, senior program manager, Microsoft.

Writing on the Microsoft Edge Dev Blog, Cowan said: “This fundamentally changes the process model, so that both the outer manager process, and the assorted content processes, all live within app container sandboxes. This provides the user and the platform with the confidence provided by other Windows store apps. ”

The developments were broadly welcomed by Amichai Shulman, CTO of Imperva, but overall the improvement in security will be minimal, he said.  

Shulman told SCMagazineUK.com: “This step by Microsoft is generally positive and is in place, given the recent advancement in HTML5 support. It will help to reduce the potential exposure of workstations by reducing the number of components and hence reducing the number of lines of code and therefore the overall number of exposed vulnerabilities in each workstation.

“At the same time we can expect more and more vulnerabilities to be found in the newly introduced HTML5 functionality that replaces these other components. With time, as new functionality is defined and introduced we will see this code base getting larger as well as more complex and the number of vulnerabilities will rise again.

“Sandboxing of the code is a nice slogan which I suspect is well overrated. While reducing the potential for privilege escalation to a reasonable level, none of the ‘sandboxes' introduced over the years to browsers – including the Java sandbox – have proved to eradicate the potential for privilege elevation.

“Regarding SmartScreen, I suspect that it will have adverse effects on free surfing and a minor effect on potential phishing victims. We've proven once and again that people who are susceptible to phishing – quite frankly, most people – will fall prey regardless of the technology that tries to protect them from themselves.

“My bottom line: these are probably necessary steps. The primary reason for Microsoft to take these steps is, I suspect, engineering efficiency and business leverage – pushing out third party components in favor of Microsoft code – rather than security. Is our online experience going to be a safer one as a result? Probably not.”

Another commentator, quoted by Threatpost.com, was more supportive of the changes. “For the vast majority of users, the internet is the browser. If Microsoft wants to continue to compete in the marketplace, they need to step up their game for browser security… and they have been losing to Google now for a few years,” said Andrew Storms, vice president of security services at New Context, said.

“When it comes to protecting the browser itself, Microsoft has been making some pretty big leaps forward in terms of security. We have to continue to applaud them for making the right decisions. For example, the choice to remove support for antiquated and insecure technology like ActiveX is a move long overdue. Better containerisation of the application and better memory protections are also much needed and appreciated steps in the right direction,” Storms said.

For any bug hunters out there, Microsoft is offering a bug bounty for the discovery of vulnerabilities in the Edge browser between now and the launch of Windows 10 later this year.