Security News > 2021 > August > Microsoft wonders if disabling just-in-time compilation of JavaScript improves browser security
Microsoft is conducting an experiment it hopes will improve browser security - by making its Edge offering worse at running JavaScript.
As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser - because engines like Google's V8 and the just-in-time compilation techniques they employ use "a remarkably complex process that very few people understand" and have "a small margin for error" in the way they handles code.
Microsoft is therefore going to try to build what it calls "Super Duper Security Mode" for Edge, by disabling JIT and eventually adding other security mitigations - namely Controlflow-Enforcement Technology and Arbitrary Code Guard and Control Flow Guard.
"Super Duper Security Mode" is already available.
Type edge://flags/#edge-enable-super-duper-secure-mode into Edge and the browser provides a long list of its security controls so you can see what you'll be missing if you decide to join Microsoft's experiment.
A fun name like "Super Duper Security Mode" might make more of a difference to users than hard-to-appreciate changes to security plumbing.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/08/06/edge_super_duper_security_mode/
Related news
- Microsoft Copilot for Security prepares for April liftoff (source)
- Microsoft’s Security Copilot Enters General Availability (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft fixes Outlook security alerts bug caused by December updates (source)
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
- Microsoft squashes SmartScreen security bypass bug exploited in the wild (source)
- Microsoft and Security Incentives (source)
- Microsoft releases Exchange hotfixes for security update issues (source)