Ever since Internet Explorer was launched by Microsoft in 1995, it has struggled to gain plaudits from the security...
industry -- despite being one of the most widely used Web browsers.
Its first few iterations were undeniably vulnerable to a wide variety of attacks, but Microsoft continued to improve and add security features and controls with each new release.
However, after years of security issues and frustrations, Microsoft has finally decided to retire its Internet Explorer, making IE 11 the last release. The company decided to replace IE with Microsoft Edge. It will be the default browser on Windows 10 PCs, smartphones and tablet devices -- though IE 11 will still be available for compatibility reasons.
Many of the usability features of Microsoft Edge will certainly appeal to the average user. For example, it lets them take notes, write, doodle and highlight directly on webpages, and it also integrates with the Cortana digital assistant.
What isn't so obvious -- and what organizations should certainly know -- is that it's a ground-up rebuild of IE with many new and/or improved security controls that aim to make surfing safer for enterprise and home users alike.
Microsoft Edge security features for enterprises
One big change that should improve Microsoft Edge security is that it's been written as a Universal Windows app, meaning all processes will run within app container sandboxes. IE 10 introduced Enhanced Protected Mode, a browsing sandbox, but it was only an option on the desktop in IE 10 and IE 11. Edge renders every page inside an app container not just as a default, but all the time, keeping malicious code isolated from other areas of the system.
Further protection is provided by various memory abuse mitigators. Microsoft has been introducing these into Windows and IE for some time, but they will be turned on by default in Microsoft Edge -- in fact, a lot of older opt-in security features are now set to be always-on. For example, MemGC (Memory Garbage Collector) removes the responsibility of freeing memory from the programmer by automating the process, and therefore makes buffer overflow vulnerabilities less likely, while CFG (Control Flow Guard) helps limit where a memory corruption attack can jump to.
Additionally, the fact that Edge will run as a 64-bit process on 64-bit systems dramatically increases the address space that the Address Space Layout Randomization mitigation can use to obscure process-related memory addresses from attackers.
Microsoft Edge will use a new rendering engine, EdgeHTML. This rendering engine supports the W3C standards for Content Security Policy and HTTP Strict Transport Security, which provide protection against cross-site scripting and forcing connections to a site over HTTPS respectively. These standards help Web developers better defend their sites against attack.
Edge also includes a major overhaul of the DOM representation in the browser's memory, making the browser's code more resistant to attacks that attempt to subvert the browser. To reduce the threat posed by poorly written Web browser extensions, Edge will provide no support for VML, VBScript, Toolbars, BHOs or ActiveX, instead relying on the rich capabilities of HTML5.
Microsoft SmartScreen, originally introduced in IE 8, remains one of the controls to defend against malicious sites trying to trick users in to downloading malicious software by performing a reputation check on websites' users visit. Phishing -- where an attacker entices a user into entering his credentials or other confidential information into a fake version of a website that he trusts -- remains a highly effective method for stealing sensitive user data. Despite many sites spending money on digital certificates that should help a user verify the site he is visiting, attackers are still managing to fool users in this regard. Edge takes an innovative approach to tackling the problem by using Windows 10's new single sign-in Passport technology to remove the need for users to enter plaintext passwords into websites and replacing them with a PIN or biometric authentication. Passport will also work with Microsoft's Azure Active Directory services. Any biometric credentials are secured and stored locally on the user device and never sent over the network. This feature will certainly complement many enterprise identity and access management programs that are starting to provide full support for two-factor authentication.
Even though Microsoft believes Edge is the company's most secure Web browser yet, it acknowledges that software is always vulnerable and securing it is a process, not a destination. Therefore Edge is included in Microsoft's bug bounty program, which offers rewards to hackers that report bugs in its software.
Edge certainly ups the quality of security controls in place to protect users, but it will no doubt start the next round in the never-ending arms race with malicious hackers.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He was also formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). Cobb has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.
Check out SearchSecurity's tutorial on Web browser security