Quid pro Chromium

Microsoft Edge Chromium research announced

UPDATED Microsoft has announced plans for a Project Zero-style security research program focused on Chromium, after rebuilding the Edge browser using the open source codebase.

Having relaunched Internet Explorer’s successor as a Chromium-based browser, the tech giant tasked a team of browser security experts to undertake research into Google’s browser-building repository.

“Over the next few months, we will detail some of the vulnerabilities we have found so far, how we exploited them, the methods we used to identify those issues and lessons from trying to secure a complex codebase,” said Johnathan Norman, principal security engineering lead at Microsoft, in a blog post published yesterday (October 15).

“Although we are not limiting ourselves to any specific topics, we plan to share code and writeups for exploits, tools for finding bugs and share some insights into how we are working to secure Edge.”

Project scope

The research, which Norman said would be published in accordance with responsible disclosure guidelines, “will primarily focus on Edge and other Chromium-based browsers but will occasionally include other targets as well”.

The initiative will effectively see Microsoft emulating Trend Micro’s Zero Day Initiative and Google’s Project Zero, established in 2005 and 2014 respectively to research zero-day security vulnerabilities and publicly disclose the findings for the benefit of the wider infosec community.

After accepting an invitation from Google to discuss possibilities for greater Chromium collaboration, Microsoft’s “security researchers spent several months studying past vulnerabilities as well as exploit techniques, using write-ups from independent researchers, Google Project Zero, Zero Day Initiative, and others” in a bid to secure the new incarnation of Edge.

Edge, which was hitherto based on Microsoft’s own proprietary browser and JavaScript engines, was relaunched in January 2020 as a Chromium-based web browser.

Read more of the latest browser security news

Norman said the move meant Microsoft could draw on the lessons learned from security research undertaken on Chromium since its 2008 launch and “rethink our approach” to securing Edge.

Since migrating to Chromium, Microsoft has “reported hundreds of security vulnerabilities to the Chromium project, contributed fixes, and worked with the Chromium team to improve the sandbox on Windows”.

Supported by this research, Chromium-based Edge has had 200% fewer vulnerabilities reported by external researchers compared to legacy Edge, and has “remained untouched during the 2020 Pwn2Own competition”, said Norman.

However, with multiple browsers using the same codebase, the benefits of this research will be felt more widely, said Norman.

“In that spirit we have decided to share our work with the public in the hopes that it may help others, just as we were helped when redesigning the Edge browser.”

Dustin Childs, communications manager for the Zero Day Initiative, welcomed the announcement.

“Having almost all of our web browser eggs in one Chromium-based basket certainly provides attackers a diverse target,” he told The Daily Swig. “The more researchers we have looking for bugs to fix, the better.”

In particular, Childs said he was intrigued “to see the number and types of bugs” Microsoft finds, and whether “they can bridge the patch gap between when Chromium updates and when those updates are integrated into Chromium-based Edge. That delay may be small, but it could allow attackers a window of opportunity.”

Chromium browser market

Containing 25 million lines of code, Chromium is one of the largest, most complex open source projects in the world.

With a 7.5% market share, Edge is currently the third most popular browser after Google Chrome, which also runs on Chromium, and Firefox, which doesn’t.

A raft of other, minor players in the market, including Opera, Vivaldi, Brave, and Blisk, are also built on Chromium.

The Daily Swig has contacted Microsoft for further comment and will update the article if we hear back.

This article was updated on October 16 with comments from the Zero Day Initiative.

YOU MAY ALSO LIKE Google launches Fuzzilli grant program to boost JS engine fuzzing research