As soon as Microsoft announced its plan to replace the problematic Internet Explorer with a brand new browser on...
Windows 10 systems, people were quick to wonder whether it was too little too late.
While the IE browser will still be available in some deployments, namely for enterprise compatibility, a ground-up rebuild will be the default in all versions of Windows 10.
Microsoft attempted to quash fears this week, publishing a blog post Monday that outlined technologies developers believe will defend users against "increasingly sophisticated and prevalent attacks."
Microsoft Edge, previously referred to as "Project Spartan," boasts a number of features to deter phishing attacks and browser hacking -- but is it enough to change people's minds about the security of a Microsoft browser?
Taking the 'Edge' off phishing attacks
To help prevent users from falling victim to phishing and other social engineering attacks, Edge will use Microsoft Passport with asymmetric cryptography, which removes a troublesome password and replaces it with a PIN or biometric authentication.
Microsoft Edge will also use a new rendering engine, dubbed EdgeHTML -- which defends against phishing using the W3C standard for content security policy, which protects against cross-site scripting attacks -- and support for HTTP Strict Transport Security, which ensures secure connections to websites.
Edge offers other protections, including Microsoft SmartScreen to block potentially malicious sites, as well as Microsoft Certificate Reputation, which protects against websites using fraudulent certificates.
Taking the 'Edge' off browser hacking
Microsoft Edge will not support vulnerable extensions such as VML, VBScript, Toolbars, BHOs or ActiveX; the browser will support HTML5, which not only offers "rich capabilities," but is also "interoperable across browsers."
Edge is a Universal Windows app, which will "provide the user and the platform with the confidence provided by other Windows store apps." Both the outer manager process and assorted content processes will reside in what developers are calling the "latest and most secure client-side app sandbox in Windows."
The new browser will also run as a 64-bit process on 64-bit systems. This, the developers say, makes ASLR "exponentially stronger" as an increased address space will make it harder for attackers to find components needed for attacks.
Other controls will also be used, including Memory Garbage Collector or MemGC, which will defend against use-after-free vulnerabilities, and Control Flow Guard or CFG, which restricts where memory corruption attacks can jump to.
Edge bug bounties
"Despite all efforts," the Microsoft blog reads, "there will be security vulnerabilities in Microsoft Edge that we do not yet know about."
To minimize the effect of these vulnerabilities, Microsoft announced its Windows 10 Technical Preview Browser Bug Bounty program, in which researchers can report Edge security issues to Microsoft during the preview period.
The bounty for Edge, which is still listed as "Project Spartan Bug Bounty" on Microsoft's site, is currently running and ends June 22, 2015.
In other news
- A report published by Absolute Software Corp. Wednesday revealed younger workers pose a greater threat to corporate data than their older counterparts. The "US Mobile Device Security Survey Report" polled 762 American adults over the age of 18 to demonstrate the attitudes Millennials and Baby Boomers have towards IT. According to the report, 25% of Millennials admit to compromising IT security as opposed to 5% of Baby Boomers, and 35% of Millennials modify the default settings on their devices, more than four times as many as Boomers (8%). Additionally, 64% of Millennials use their work devices for personal use, as opposed to 37% of the older generation. Twenty-seven percent of the younger generation access "not safe for work" content -- including personal email, online banking, social media and file sharing among other things. Only 5% of Boomers admitted to NSFW usage.
- Two new variants of ransomware were identified this week. The Symantec Security Response Team identified a Breaking Bad-themed ransomware infecting computers in Australia and requiring up to $1,000AU for the decryption of files. The malware, labeled Trojan.Cryptolocker.S by Symantec, uses popular themes from the hit TV show, including "Los Pollos Hermanos" branding and Walter White's infamous "I am the one who knocks" quote. In a blog post published Monday, Symantec researchers described the malware as using social engineering to infect victims through a malicious zip file. The attackers then run their own PowerShell script on the infected computer to execute the ransomware, which encrypts files using a random AES key, which is then encrypted with an RSA public key "so that victims can only decrypt their files by obtaining the private key from the attackers."
- The second variety of ransomware discovered this week was identified by Brian Duncan, security researcher at Rackspace Inc. Duncan write a blog post Tuesday about a variant of TeslaCrypt and AlphaCrypt that uses the Angler exploit kit. The unnamed ransomware uses instructions similar to CTB-Locker, requesting users to transfer $528 worth of Bitcoin to unlock encrypted files. Duncan infected four hosts in five hours and noted that while the ransomware delivered the same malware file with the same hash, each infection instance used a different Bitcoin address. "From what I can tell," Duncan wrote, "TeslaCrypt and AlphaCrypt are very similar to CryptoLocker. This new, unnamed variant appears to be another evolution from this family of ransomware."
- Two new proof-of-concept exploits were published this week that run on an infected computer's graphics processors (GPUs). Placing the code in the processor's onboard memory avoids traditional antimalware technology, which generally only scans system hard drives and memory. The Jellyfish rootkit and Demon keylogger were published on Github this week by an anonymous team of developers, who said the codes were for "educational purposes only" to raise awareness of security tools that do not scan other places for malware, such as the RAM used by GPUs. The keylogger captures keystrokes and passwords and stores them in GPU memory; Jellyfish spies on CPU host memory via DMA. Security expert Graham Cluley said, "Your security software might pick up if suspicious code has made modifications to your operating systems processes or low-level hooks, but an attack based entirely in the GPU is likely to go unnoticed." Cluley said the potential threat is not as big as it may seem; first of all, writing GPU-based malware requires a lot of effort. Secondly, a hacker would need physical access to a system to infect it. However, if an attacker has a specific target in mind, the attack is feasible. Also, Cluley noted, state-sponsored attackers with means to infiltrate the supply chain could get the job done.
- High-profile criminal defense attorney Arkady Bukh took to Twitter earlier this month to announce the opening of his "different kind of cybersecurity firm" -- one that offers data protection services but has "a background that most cybersecurity firms don't have." Perhaps overlooking Kevin Mitnick's long-since established consultancy, Bukh argues that his own roster of black hat hackers are now "using their knowledge of computers to do good." One thing he may have over the likes of Mitnick is that this group has some of the world's once most-wanted cybercriminals; Igor Klopov, for example, reportedly used the Internet to rob $1.5 million from the financial accounts of individuals on the Forbes 400 list. And Oleg Nikolaenko, the "King of Spam," ran one of the largest botnets in the world which reportedly caused 32% of all spam at one point. The Manhattan-based CyberSec Inc. offers vulnerability assessments, penetration tests, data breach prevention, and risk assessment and analysis services, along with incident response during cybercrime investigations, computer forensics and cyber incident readiness planning. Bukh also offers legal compliance advice. CyberSec's panel of experts also includes decidedly checkered and ostensibly reformed hackers Dmitry Naskovets and Vladislav Horohorin.
Get a glimpse into the upcoming Windows 10's security features