Browser goes further to protect against bugs by disabling JIT
Microsoft has unveiled a ‘Super Duper Secure Mode’ in the latest version of Edge browser, offering users greater protection against common vulnerabilities.
The feature was first mentioned back in August, in a blog post by Edge’s vulnerability research lead, Johnathan Norman.
Norman revealed on Twitter last night (November 22) that the feature has been rolled out “secretly” in the latest version, 96.0.1054.29.
Super Duper Secure Mode – also known as SDSM – helps to mitigate against browser attacks by disabling the Just-In-Time component in V8, a technology linked a large number of security vulnerabilities in recent years.
JIT engines are commonly found to be vulnerable to security bugs, though Norman says that developers are willing to accept this cost because users want their browsers to be “fast”.
JIT do it
In order to defend against the plethora of bugs bundled with JIT, Super Duper Secure Mode disables the engine, removing “roughly half” of the issues present.
Norman also noted that performance times are not significantly affected by disabling the engine, for example tests that measured improvements in power showed a 15% improvement on average. Regressions showed an 11% increase in power consumption.
Page load times, however, showed regressions [negative performance drops] averaging around 17%.
The SDSM feature also enables users to toggle between Balanced and Strict modes, giving them greater control over what is and isn’t enabled.
“Balanced learns what sites you use often and trusts those, strict is well… strict,” Norman tweeted, adding that Edge users can also add their own exceptions.
Norman noted that there are benefits beyond attack surface reduction – due to how the V8 JIT works, several impactful mitigation technologies do not work during the rendering process.
With JIT disabled, these technologies can also be utilized – for example Controlflow-Enforcement Technology (CET), a new hardware-based exploit mitigation from Intel, and Arbitrary Code Guard (ACG), which cannot be used with JIT engines.
“By disabling JIT, we can enable both mitigations and make exploitation of security bugs in any renderer process component more difficult,” wrote Norman.
More information on other features bundled with the latest version of Edge is available in the release notes.