Security News > 2021 > August > Microsoft wonders if disabling just-in-time compilation of JavaScript improves browser security
Microsoft is conducting an experiment it hopes will improve browser security - by making its Edge offering worse at running JavaScript.
As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser - because engines like Google's V8 and the just-in-time compilation techniques they employ use "a remarkably complex process that very few people understand" and have "a small margin for error" in the way they handles code.
Microsoft is therefore going to try to build what it calls "Super Duper Security Mode" for Edge, by disabling JIT and eventually adding other security mitigations - namely Controlflow-Enforcement Technology and Arbitrary Code Guard and Control Flow Guard.
"Super Duper Security Mode" is already available.
Type edge://flags/#edge-enable-super-duper-secure-mode into Edge and the browser provides a long list of its security controls so you can see what you'll be missing if you decide to join Microsoft's experiment.
A fun name like "Super Duper Security Mode" might make more of a difference to users than hard-to-appreciate changes to security plumbing.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/08/06/edge_super_duper_security_mode/
Related news
- Microsoft overhauls security for publishing Edge extensions (source)
- Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild (source)
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Microsoft warns it lost some customer's security logs for a month (source)
- Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser (source)
- Microsoft lost some customers’ cloud security logs (source)
- Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information (source)
- Microsoft Entra "security defaults" to make MFA setup mandatory (source)
- Comprehensive Guide to Building a Strong Browser Security Program (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)