News

Microsoft Edge Browser Jettisoning Older Technologies for Better Security

• By Kurt Mackie
• 05/11/2015

Microsoft talked last week about how its new Edge Web browser is improving security while jettisoning older Internet Explorer technologies along the way.

The Edge browser (formerly code-named "Spartan") essentially takes off in a new direction based on the forking of IE's Trident rendering engine. In splitting the engine, Microsoft dispensed with 220,000 lines of code. It also got rid of six browser document modes and more than 300 APIs to improve the performance, reliability and security of the new Edge browser.

Microsoft lists what isn't in Edge in this blog post. Highlights of those removed technologies include:

• ActiveX -- HTML 5 takes care of the need for ActiveX controls, according to Microsoft, although Edge will still have built-in Adobe Flash support and PDF support
• Browser Helper Objects -- these COM objects will go away with Edge's coming HTML and JavaScript-based extension model
• Document Modes -- Edge will have a single document mode, while IE will still be around for organizations that need the legacy code support
• VBScript -- Microsoft's view is that JavaScript is "the de facto language of the Web"
• Vector Markup Language - it's supplanted by Scalable Vector Graphics now, according to Microsoft

Edge Security Capabilities
Microsoft is also touting better security with the Edge browser. It lacks an extensions capability right now, which adds to its security, although Microsoft is currently working to create an extension model based on HTML and JavaScript. Microsoft will provide more info about that model in "coming months."

Edge will leverage some HTML 5 security features. It will support HTTP Strict Transport Security, a protocol for secure Web connections. It also adds protections against cross-site scripting attacks by supporting HTML 5's "Content Security Policy."

The Edge browser is a so-called Universal Windows app, so it uses "app container sandboxes" for content processes and the outer manager process. In addition, the apps used by the browser get vetted through the Windows Store. While Microsoft had earlier versions of app container sandboxes with IE 7's "protected mode" and IE 10's "enhanced protected mode" technologies, there were some limitations. With the Edge browser, Microsoft is promising that "every Internet page that Microsoft Edge visits will be rendered inside an app container."

The Edge browser will be a 64-bit browser by default, except if run on a 32-bit processor. Running it as 64-bit technology enhances the security protections of the Address Space Layout Randomization scheme. ASLR makes it harder for hackers to find memory locations, which hackers try to leverage when running malicious code.

Some older IE protections will continue on in the Edge browser. Microsoft's phishing protection technology, called "SmartScreen," which performs a reputation check on sites, will be included in the Edge browser. Microsoft first introduced SmartScreen with its IE 8 browser.

A "certificate reputation" technology that checks for fraudulent certificates is also being extended in the Edge browser.

Over the last year, Microsoft has built protections against memory corruptions into its browsers. A memory garbage collector (MemGC) technology aims to protect against "use-after-free" types of vulnerabilities. Also, a control flow guard (CFG) technology, enabled in Visual Studio, is designed to thwart code location jumps, which are used by hackers to gain control over a program.

IE 11 for Legacy App Support
Organizations typically have been held back from upgrading the underlying Windows operating system because of browser-based app and site remediation issues, so Windows 10 will have both browsers to help organizations make the leap, according to Candice Quadros, a Microsoft program manager on the HTML platform, during a "Microsoft Edge and IE11 for IT Professionals" talk last week. Quadros noted that many of Microsoft's enterprise customers have "a lot of fear about moving to modern browser standards." They like the idea of sticking with IE 8, but doing so makes it a pain to upgrade.

Microsoft's call to action, according to Quadros, is that if organizations are still using IE 8, then they should work to get off it and upgrade to IE 11. Upgrading to IE 11 will also help prepare environments for Windows 10, she added.

Microsoft is imposing an early deadline of sorts by specifying that only the most recent version of IE will be supported on a given Windows OS, starting on Jan. 12, 2016 (see chart).

Microsoft's long-term guidance is that organizations should try to upgrade to "modern Web standards," though, so Microsoft is also encouraging organizations "to use Edge as the default browser," Quadros added.

If an organization can migrate to IE 11, then they can try to address compatibility issues by switching the document modes in IE 11. If that doesn't work, then they can try Enterprise Mode, a compatibility technology that ships with IE 11.

Enterprise mode is a high-fidelity IE 8 emulation mode in the IE 11 browser. It provides "more granularity" control over the document modes used for sites, Quadros explained. Enterprise Mode ships on Windows 7, Windows 8.1 and will be available on Windows 10, she added. Microsoft commissioned a Forrester Research study that found that it was twice as fast to upgrade from IE 8 to IE 11 with the assistance of Enterprise Mode.

Enterprise Mode does bring a potential security risk due to the use of older technologies, as well as a slight performance impact, Quadros said.

The typical upgrade scenario is to first build an inventory of line-of-business sites. Next, perform app compatibility testing. Lastly, broken sites can be fixed and an upgrade can be performed (see chart). Quadros said that this workload looks simple, but it's easier said than done. IT pros may not have a complete list or they can't prioritize because of a lack of information. And fixing the sites is a pretty hard problem to solve, she added.

Quadros pointed to Microsoft's Enterprise Site Discovery Toolkit, which can be used to help inventory line-of-business sites based actual usage, thereby prioritizing the remediation process. For instance, Quadros said Microsoft had a customer with 20,000 apps, but only 500 were used on a daily basis, based on the toolkit, so it helped with reducing that workload.

Quadros' talk was part of a broader Microsoft Edge Web Summit event, held last week. Microsoft has archived those Summit presentations at this Channel 9 page.

Microsoft also announced some support for Edge developers. The browser supports vorlon.JS, an open source tool for debugging JavaScript. It also has support for Asm.js, a low-level sublanguage that helps Microsoft's Chakra compiler execute code "at near native code performance." As a consequence, Microsoft claims that its Edge browser now performs "more than 300% faster" on the Unity benchmark. Microsoft also made improvements to the F12 developer tools available for the Edge browser.