Browser adds defense in depth to prevent abuse of unpatched vulnerabilities
Microsoft has introduced an optional feature to its Edge browser that applies more stringent security controls when users visit unfamiliar websites.
It said these changes provide “defense in depth” by making it harder for malicious sites to leverage unpatched vulnerabilities in order to write to executable code into memory.
First of its kind
Rival browsers Chrome and Firefox currently lack equivalent features, although can be configured to disable features such as JIT.
As for Safari, Apple recently announced a new security feature aimed at defending users at potential risk of highly targeted cyber-attacks that also disables JIT and other complex web technologies, unless the user excludes a trusted site. Called Lockdown Mode, this feature is designed to protect journalists, politicians, and human rights activists from spyware.
The feature was rolled out in Microsoft Edge version 104, which was released August 5.
Three levels of security
The new feature, which is turned off by default, can be enabled as one of three modes.
In its ‘basic’ – and recommended – configuration, the feature applies “added security protection to the less visited sites”, but “preserves the user experience for the most popular sites on the web”, explained Microsoft.
Basic mode does not adapt according to user behavior. By contrast, ‘balanced’ mode “builds on user’s behavior on a particular device, and Microsoft’s understanding of risk across the web to give sites that users are most likely to use and trust full access to the web platform, while limiting what new and unfamiliar sites can do”.
Finally, the ‘strict’ setting applies enhanced safeguards universally against all sites. It isn’t recommended for most end users because of the additional configuration required for users “to complete their normal tasks”.
In all three modes, users can create exceptions for trusted websites, with enterprise admins able to create ‘allow’ and ‘deny’ lists.
Sites that use WebAssembly (WASM), a binary instruction format for stack-based virtual machines, are not currently supported by the feature. Sites that need WASM can be added to the exception site list.
An ‘added security’ banner appears in the URL navigation bar when enhanced security mode is activated for a particular site.