Security News > 2021 > August > Microsoft wonders if disabling just-in-time compilation of JavaScript improves browser security

Microsoft is conducting an experiment it hopes will improve browser security - by making its Edge offering worse at running JavaScript.

As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser - because engines like Google's V8 and the just-in-time compilation techniques they employ use "a remarkably complex process that very few people understand" and have "a small margin for error" in the way they handles code.

Microsoft is therefore going to try to build what it calls "Super Duper Security Mode" for Edge, by disabling JIT and eventually adding other security mitigations - namely Controlflow-Enforcement Technology and Arbitrary Code Guard and Control Flow Guard.

"Super Duper Security Mode" is already available.

Type edge://flags/#edge-enable-super-duper-secure-mode into Edge and the browser provides a long list of its security controls so you can see what you'll be missing if you decide to join Microsoft's experiment.

A fun name like "Super Duper Security Mode" might make more of a difference to users than hard-to-appreciate changes to security plumbing.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/06/edge_super_duper_security_mode/