Microsoft hones Edge browser for age of sophisticated hackers

Microsoft has outlined several ways that Edge will be more secure

Microsoft says its replacement for Internet Explorer, known as Edge, will be much tougher to hack than previous browsers.

It’s out with the old and in with the new for Edge, Microsoft’s clean break from Internet Explorer, which the company says will “fundamentally improve security” over existing browsers.

In a post today, Microsoft outlined several ways that Edge will be more secure, from additional protections against phishers to improved anti-exploitation technologies and ‘always on’ sandboxing to thwart hackers.

The biggest change to security for Edge is that it’s actually an app and as such will run all processes within app container sandboxes, just like other Universal Windows apps in the Windows store. Earlier browsers, such as IE7 on Windows, did offer sandboxing but it either wasn’t universally available on all form factors or didn’t extend to all processes.

“Microsoft Edge is rebooting our browser extension model, allowing it to run its content processes in app containers, not just as a default, but all the time. Thus every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows,” explained the Edge team.

Address Space Layout Randomisation (ASLR) will also be stronger, according to Microsoft, because Edge is 64-bit at all times when running on a 64-bit processor. ASLR makes it harder for hackers to predict which memory locations to hit and with 64-bit processes the addresses space becomes “exponentially larger” than 32-bit processes, making life more difficult for hackers.

Edge will of course also benefit from existing security technologies that Microsoft has used to harden IE against attacks on memory bugs.

Microsoft has already explained that it will be killing off support for legacy browser technologies such as ActiveX and BHOs for its extension model, and replacing them with HTML5 and JavaScript. It hasn’t revealed any more details about that transition yet, but explained this will improve security by sharing less information between the browser and extensions.

The company’s recent adoption of web standards for its new rendering engine EdgeHTML will also deliver security benefits, including support in Edge for Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) to respectively defend against cross-site scripting attacks and man-in-the-middle attacks.

It’s playing catch up here. Microsoft announced plans to support HSTS this February (before it was called Edge). Chrome has supported HSTS since 2009, Firefox since 2010, Opera since 2012 and Safari since 2013. Meanwhile, CSP has been led by Mozilla and Google.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftactivexAddress Space Layout Randomisation (ASLR)Universal Windows appsEdge browsersandboxingjavascriptInternet ExplorerBHOshtml5sophisticated hackers

More about CSOCSPEnex TestLabGoogleMicrosoftMozillaTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place