Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Microsoft Edge security features raise the bar in Web browser safety

Learn about the new and improved security features in the upcoming Microsoft Edge browser, including on-by-default sandboxes, Passport and HTML5.

Ever since Internet Explorer was launched by Microsoft in 1995, it has struggled to gain plaudits from the security...

industry -- despite being one of the most widely used Web browsers.

Its first few iterations were undeniably vulnerable to a wide variety of attacks, but Microsoft continued to improve and add security features and controls with each new release.

However, after years of security issues and frustrations, Microsoft has finally decided to retire its Internet Explorer, making IE 11 the last release. The company decided to replace IE with Microsoft Edge. It will be the default browser on Windows 10 PCs, smartphones and tablet devices -- though IE 11 will still be available for compatibility reasons.

Many of the usability features of Microsoft Edge will certainly appeal to the average user. For example, it lets them take notes, write, doodle and highlight directly on webpages, and it also integrates with the Cortana digital assistant.

What isn't so obvious -- and what organizations should certainly know -- is that it's a ground-up rebuild of IE with many new and/or improved security controls that aim to make surfing safer for enterprise and home users alike.

Microsoft Edge security features for enterprises

One big change that should improve Microsoft Edge security is that it's been written as a Universal Windows app, meaning all processes will run within app container sandboxes. IE 10 introduced Enhanced Protected Mode, a browsing sandbox, but it was only an option on the desktop in IE 10 and IE 11. Edge renders every page inside an app container not just as a default, but all the time, keeping malicious code isolated from other areas of the system.

Edge is a ground-up rebuild of IE with many new and/or improved security controls which aim to make surfing safer for enterprise and home users alike.

Further protection is provided by various memory abuse mitigators. Microsoft has been introducing these into Windows and IE for some time, but they will be turned on by default in Microsoft Edge -- in fact, a lot of older opt-in security features are now set to be always-on. For example, MemGC (Memory Garbage Collector) removes the responsibility of freeing memory from the programmer by automating the process, and therefore makes buffer overflow vulnerabilities less likely, while CFG (Control Flow Guard) helps limit where a memory corruption attack can jump to.

Additionally, the fact that Edge will run as a 64-bit process on 64-bit systems dramatically increases the address space that the Address Space Layout Randomization mitigation can use to obscure process-related memory addresses from attackers.

Microsoft Edge will use a new rendering engine, EdgeHTML. This rendering engine supports the W3C standards for Content Security Policy and HTTP Strict Transport Security, which provide protection against cross-site scripting and forcing connections to a site over HTTPS respectively. These standards help Web developers better defend their sites against attack.

Edge also includes a major overhaul of the DOM representation in the browser's memory, making the browser's code more resistant to attacks that attempt to subvert the browser. To reduce the threat posed by poorly written Web browser extensions, Edge will provide no support for VML, VBScript, Toolbars, BHOs or ActiveX, instead relying on the rich capabilities of HTML5.

More on Windows 10

Take a look at Windows 10's top security features

Explore other new features of Windows 10

Microsoft SmartScreen, originally introduced in IE 8, remains one of the controls to defend against malicious sites trying to trick users in to downloading malicious software by performing a reputation check on websites' users visit. Phishing -- where an attacker entices a user into entering his credentials or other confidential information into a fake version of a website that he trusts -- remains a highly effective method for stealing sensitive user data. Despite many sites spending money on digital certificates that should help a user verify the site he is visiting, attackers are still managing to fool users in this regard. Edge takes an innovative approach to tackling the problem by using Windows 10's new single sign-in Passport technology to remove the need for users to enter plaintext passwords into websites and replacing them with a PIN or biometric authentication. Passport will also work with Microsoft's Azure Active Directory services. Any biometric credentials are secured and stored locally on the user device and never sent over the network. This feature will certainly complement many enterprise identity and access management programs that are starting to provide full support for two-factor authentication.

Even though Microsoft believes Edge is the company's most secure Web browser yet, it acknowledges that software is always vulnerable and securing it is a process, not a destination. Therefore Edge is included in Microsoft's bug bounty program, which offers rewards to hackers that report bugs in its software.

Edge certainly ups the quality of security controls in place to protect users, but it will no doubt start the next round in the never-ending arms race with malicious hackers.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He was also formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). Cobb has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.

Next Steps

Check out SearchSecurity's tutorial on Web browser security

This was last published in August 2015

Dig Deeper on Web browser security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Is your organization looking forward to Microsoft Edge's security improvements?
Cancel
I don't get it. My understanding is that Edge started off as a fork of the IE engine; so it is still IE underneath. Is that not true?
Cancel
I find that kind of amusing to say since they just found a major vulnerability in IE that had to patched out.  My understanding was that IE had been replaced by Edge in Windows 10, but it seems that most of the patches that are being issued are browser related. I could be wrong on that though.
Cancel
Edge is just re-badged and re-branding of IE.

The "IE" issues are often underlying in the OS because, as usual, M$ is doing it wrong.  We cannot trust Windows to be secure because of flawed design issues that are built-in "features" that are exploitable.... that latest being global atom tables -- they can't fix the problem, because too much software relies on the so called feature.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close