Since Internet Explorer was launched by Microsoft in 1995, it has struggled to gain praise from the security industry, despite being one of the most widely used web browsers.
Its early iterations were undeniably vulnerable to a wide variety of attacks, but Microsoft has continued to improve and add security features and controls with each new release.
However, after years of security issues and frustrations, Microsoft has finally decided to retire its Internet Explorer, making IE 11 the latest version. The company decided to replace IE with Microsoft Edge. This will be the default browser on Windows 10 PCs, smartphones, and tablets, although IE 11 is still available for compatibility reasons.
Most of the usability features of Microsoft Edge will certainly appeal to the average user. For example, it lets them take notes, write, doodle, and highlight directly on web pages, and it also integrates with the digital assistant Cortana.
What is not so obvious – and what organizations should definitely know – is that this is a basic rebuild of IE with many new and / or improved security controls that aim to make browsing safer for businesses and home users.
Microsoft Edge security features for businesses
One big change that should improve the security of Microsoft Edge is that it was written as a Universal Windows App, which means all processes will run in app container sandboxes. IE 10 introduced Enhanced Protected Mode, a browsing sandbox, but it was only an option on the desktop in IE 10 and IE 11. Edge renders every page in an app container not only by default, but all the time, keeping the malicious code isolated from other areas of the system.
Additional protection is provided by various memory abuse mitigators. Microsoft has introduced them to Windows and IE for some time, but they will be enabled by default in Microsoft Edge. For example, MemGC (Memory Garbage Collector) removes the responsibility of freeing memory from the programmer by automating the process, and therefore makes buffer overflow vulnerabilities less likely, while CFG (Control Flow Guard) helps limit where an attack can occur. of memory corruption can skip.
Additionally, the fact that Edge runs as a 64-bit process on 64-bit systems greatly increases the address space that Address Space Layout Randomization Mitigation can use for hide memory addresses linked to the process from attackers.
Microsoft Edge will use a new rendering engine, EdgeHTML. This renderer supports the W3C standards for Content Security Policy and HTTP Strict Transport Security, which provide protection against cross-site scripting and forcing connections to a site over HTTPS respectively. These standards help web developers better defend their sites against attacks.
Edge also includes a major overhaul of the DOM representation in browser memory, making browser code more resistant to attacks that attempt to subvert the browser. To reduce the threat posed by poorly written web browser extensions, Edge will not provide any support for VML, VBScript, Toolbars, BHO, or ActiveX, instead relying on the rich capabilities of HTML5.
Microsoft SmartScreen, originally introduced in IE 8, remains one of the checks to defend against malicious sites trying to trick users into downloading malware by performing a reputation check on user visits to websites. . Phishing – when an attacker tricks a user into entering their credentials or other confidential information into a fake version of a website they trust – remains a very effective method of stealing sensitive user data. . Although many sites spend money on digital certificates which should help a user verify the site they are visiting, attackers still manage to deceive users in this regard. Edge takes an innovative approach to solving the problem by using Windows 10’s new Single Sign-On Passport technology to save users the trouble of entering clear-text passwords on websites and replacing them with a PIN or password. biometric authentication. Passport will also work with Microsoft’s Azure Active Directory services. All biometric credentials are secure and stored locally on the user’s device and are never sent over the network. This feature will certainly complement many corporate identity and access management programs that are starting to provide full two-factor authentication support.
While Microsoft believes Edge is the company’s most secure web browser to date, it recognizes that software is still vulnerable and securing it is a process, not a destination. Therefore, Edge is included in Microsoft’s bug bounty program, which offers rewards to hackers who report bugs in its software.
Edge certainly improves the quality of the security controls in place to protect users, but it will undoubtedly start the next round of the never-ending arms race with malicious hackers.
About the Author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the computer industry. He is co-author of the IIS Security book and has written numerous technical articles for leading IT publications. He was also a former Microsoft Certified Database Manager and a registered consultant with the CESG Stock Market Adviser Program (CLAS). Cobb is passionate about making IT security best practices easier to understand and implement. His website offers free security posters to educate employees about the importance of protecting company and customer data and following best practices.