In a bid to end years of Internet Explorer security woes, Microsoft is betting that its still-to-be-released Edge browser will meet the challenges of increasingly sophisticated online hacker attacks.
“With Microsoft Edge, we want to fundamentally improve security over existing browsers and enable users to confidently experience the web from Windows,” said Microsoft Edge senior program manager Crispin Cowan in a blog post.
The software firm has set out to develop industry-leading sandboxing, compiler and memory management techniques for its new-generation browser.
Developers say Microsoft Edge includes a major overhaul of the document object model (DOM) representation in the browser’s memory, making the code more resistant to attacks that attempt to subvert the browser.
The browser’s security has also been improved by removing support for vulnerable extensions for VML, VB Script, toolbars, browser helper objects (BHOs) and ActiveX.
Microsoft believes there is no need for such extensions because of the rich capabilities of HTML5, which makes sites interoperable across browsers.
“Browser extensions come at a cost of security and reliability: binary extensions bring code and data into the browser’s process, with no protection at all, and so anything that goes wrong or is vulnerable in the extension can also take down or compromise the browser itself,” said Cowan.
According to the software firm, Microsoft Edge is “rebooting” its browser extension model, allowing it to run its content processes in app containers all the time.
This means that every internet page that Microsoft Edge visits will be rendered inside an app container, which developers believe is the most secure client-side app sandbox in Windows.
Read more about browser security
- VerSprite research on 10 alternative Android browsers has found at least one major security vulnerability in each of them.
- Researchers at the 2015 Pwn2Own exploited every major web browser, casting doubt on browser security once again.
- Free alternative browsers such as Google Chrome and Firefox are giving IE a run for its money.
- The risks of web browser extensions and what enterprises can do to counter browser plug-in threats.
Microsoft Edge is designed to run only 64-bit processes on 64-bit machines. According to Microsoft, 64-bit processes get significant security advantages by making Windows address space layout randomisation (ASLR) stronger.
Microsoft SmartScreen, originally introduced in IE8, is supported in Microsoft Edge and by the Windows 10 Shell. SmartScreen defends users against phishing sites by performing a reputation check on sites the browser visits, blocking those thought to be phishing sites
“Similarly, SmartScreen in both the browser and the Windows Shell defends users against socially engineered downloads of malicious software to users being tricked into installing malicious software,” said Cowan.
Finally, developers say the Microsoft EdgeHTML rendering engine in Microsoft Edge helps in defending against “con man” attacks using new security features in HTML5.
For example, support for the W3C standard for content security policy helps developers defend their sites from cross-site scripting (XSS) attacks in a cross-browser manner, and support for HTTP strict transport security helps ensure that connections to sites such as online banking are always secured.
“This engine is focused on modern web standards, allowing web developers to build and maintain one consistent site that supports all modern browsers,” said Cowan.
“This greatly simplifies the hard work of building first class websites, allowing more time and energy for web developers to focus on reliability and security rather than the complexities of interoperability,” he said.
By working with the Windows team, developers have also worked to improve security of the browser through tighter integration with the operating system.
For example, Windows 10 includes Microsoft Passport technology with asymmetric cryptography to authenticate users to websites.
This approach is aimed at reducing phishing attacks that trick users into entering their password on a fake version of a website they trust.
Microsoft Passport helps defend Microsoft Edge users against phishing attacks by removing the need for users to enter plain-text passwords into websites.
“Windows 10 will also offer the most convenient way to unlock your device and access your Microsoft Passport, providing a truly seamless experience that is more secure than today’s world of complicated passwords,” said Cowan.
By building Microsoft Edge from the ground up, Microsoft has included security enhancements, new security features and made older opt-in features to be always-on.
“For this reason, we believe Microsoft Edge will be the most secure web browser that Microsoft has ever shipped,” said Cowan.
However, he said that despite all efforts, Microsoft recognises there will be security vulnerabilities in Microsoft Edge that are still unknown.
“To minimise customer impact, we will be offering a Windows 10 Technical Preview Browser Bug Bounty program, intended to incent security researchers to report browser vulnerabilities to Microsoft during the Technical Preview period rather than after Microsoft Edge ships as a general use product,” said Cowan.
Microsoft Edge is expected to debut alongside Windows 10 when it is released later this summer.
What happens to all of the saved passwords in Microsoft's Edge browser?