Microsoft hones Edge browser for age of sophisticated hackers
- 12 May, 2015 09:32
Microsoft says its replacement for Internet Explorer, known as Edge, will be much tougher to hack than previous browsers.
It’s out with the old and in with the new for Edge, Microsoft’s clean break from Internet Explorer, which the company says will “fundamentally improve security” over existing browsers.
In a post today, Microsoft outlined several ways that Edge will be more secure, from additional protections against phishers to improved anti-exploitation technologies and ‘always on’ sandboxing to thwart hackers.
The biggest change to security for Edge is that it’s actually an app and as such will run all processes within app container sandboxes, just like other Universal Windows apps in the Windows store. Earlier browsers, such as IE7 on Windows, did offer sandboxing but it either wasn’t universally available on all form factors or didn’t extend to all processes.
“Microsoft Edge is rebooting our browser extension model, allowing it to run its content processes in app containers, not just as a default, but all the time. Thus every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows,” explained the Edge team.
Address Space Layout Randomisation (ASLR) will also be stronger, according to Microsoft, because Edge is 64-bit at all times when running on a 64-bit processor. ASLR makes it harder for hackers to predict which memory locations to hit and with 64-bit processes the addresses space becomes “exponentially larger” than 32-bit processes, making life more difficult for hackers.
Edge will of course also benefit from existing security technologies that Microsoft has used to harden IE against attacks on memory bugs.
Microsoft has already explained that it will be killing off support for legacy browser technologies such as ActiveX and BHOs for its extension model, and replacing them with HTML5 and JavaScript. It hasn’t revealed any more details about that transition yet, but explained this will improve security by sharing less information between the browser and extensions.
The company’s recent adoption of web standards for its new rendering engine EdgeHTML will also deliver security benefits, including support in Edge for Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) to respectively defend against cross-site scripting attacks and man-in-the-middle attacks.
It’s playing catch up here. Microsoft announced plans to support HSTS this February (before it was called Edge). Chrome has supported HSTS since 2009, Firefox since 2010, Opera since 2012 and Safari since 2013. Meanwhile, CSP has been led by Mozilla and Google.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
