For many years now, the browser has been the most dangerous piece of software on most users’ machines. Attackers love to target browsers and a remote code execution bug in a major browser is gold for them. The browser vendors have been making gradual changes to better protect users in recent years, and now Microsoft is completely revamping the security of its main browser, adding a slew of new protections and exploit mitigations.
The browser included with the upcoming release of Windows 10 will be known as Edge, and it will have a number of security features designed to protect against the most common memory corruption and phishing attacks. And, significantly, Edge will not include support for many of the more dangerous and commonly abused extensions, such as ActiveX and VB Script.
Most of the changes that Microsoft is making with Edge are behind the scenes and won’t be visible to users. That includes the new exploit mitigations and some improvements to the sandbox, which was introduced in Internet Explorer 7 several years ago. Edge will include two features designed to protect against memory corruption attacks, MemGC and Control Flow Guard, that are on by default. The former is a mitigation that will help the browser defend against attacks on use-after-free vulnerabilities, which have become prevalent recently.
“MemGC (Memory Garbage Collector) is a memory garbage collection system that seeks to defend the browser from UAF (Use-after-free) vulnerabilities by taking responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation has detected that there are no more references left pointing to a given block of memory,” Crispin Cowan, senior program manager for Microsoft Edge, wrote in a post detailing the new features.
Control Flow Guard, meanwhile, is tasked with preventing attackers from taking over vulnerable apps.
“The end-game in memory-corruption is for the attacker to gain control of the CPU program counter, and jump to a code location of the attacker’s choice. CFG (Control Flow Guard) is a Microsoft Visual Studio technology that compiles checks around code that does indirect jumps based on a pointer, restricting these jumps to only jump to function entry points that have had their address taken. This makes attacker take-over of a program much more difficult by severely constraining where a memory corruption attack can jump to,” Cowan said.
The changes to the Edge sandbox improve upon the model of Protected Mode, the sandbox-like technology that Microsoft introduced in IE 7. That technology has been modified and improved over the years, but the Edge browser will include a substantially different sandbox.
“IE10 introduced EPM (Enhanced Protected Mode) based on Windows 8’s app container sandbox. EPM provided a much stronger sandbox than protected mode, including for example deny-by-default and no-read-up semantics. EPM was on by default in the immersive browser, but was only an option on the desktop in IE10 and IE11 because some browser extensions are not compatible with EPM,” Cowan said.
“Microsoft Edge is rebooting our browser extension model, allowing it to run its content processes in app containers, not just as a default, but all the time. Thus every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows.”
Another major change in Edge will be the exclusion of support for ActiveX and other extensions. ActiveX has been a security liability on Internet Explorer, as have other extensions, and attackers often target them as an easy way to take over the browser itself. Cowan said Microsoft is developing a new extension model based on HTML5, which obviates the need for older extensions.
“So to make browsers safer against attacks, and just more reliable, it is important to create an extension model that is safer, by sharing less state between the browser itself and the extensions. Thus Microsoft Edge provides no support for VML, VB Script, Toolbars, BHOs, or ActiveX. The need for such extensions is significantly reduced by the rich capabilities of HTML5, and using HTML5 results in sites that are interoperable across browsers,” Cowan said.
Security experts say the changes made for the new Edge browser are necessary and should have a good affect on user security.
“For the vast majority of users, the Internet is the browser. If Microsoft wants to continue to compete in the marketplace, they need to step up their game for browser security… and they have been losing to Google now for a few years,” said Andrew Storms, vice president of security services at New Context, said.
“When it comes to protecting the browser itself, Microsoft has been making some pretty big leaps forward in terms of security. We have to continue to applaud them for making the right decisions. For example, the choice to remove support for antiquated and insecure technology like ActiveX is a move long overdue. Better containerization of the application and better memory protections are also much needed and appreciated steps in the right direction,” Storms said.
Windows 10 is due to be released later this year, and Microsoft is offering a new bug bounty for researchers who find vulnerabilities in the Edge browser during the technical preview period.