In this day and age, online safety and security is a big deal. When you think about all the sensitive information you have online, having that information stolen or compromised is not something anyone wants to deal with. That’s why Microsoft is taking advanced measures to ensure user security in the new Microsoft Edge browser.
In a recent blog post, the Microsoft Edge team details several steps it will take to protect users from attacks and scams which it developed closely with the Windows team. To defend against phishing attacks, where an attacker tries to trick the user into providing them with sensitive information like banking passwords, the software giant will rely on its Microsoft Passport technology, use stronger credentials and certificates to protect against fraudulent websites, utilize its SmartScreen technology which will function system wide as it is part of the Windows 10 Shell, and support the latest HTML5 security protocols.
To defend against hacking, the company has opted to drop support for its ActiveX extension in Microsoft Edge, and will instead focus on HTML5 which is now fairly rich in terms of its functional capabilities. Also, because Microsoft Edge is a universal app, Microsoft claims that this “fundamentally changes the process model, so that both the outer manager process, and the assorted content processes, all live within app container sandboxes”, thus making it harder for hackers to gain control of the browser. Additionally, changes to the browsers extension model will also make it more of a headache for hackers to get their hands on user information.
“Microsoft Edge is rebooting our browser extension model, allowing it to run its content processes in app containers, not just as a default, but all the time. Thus every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows.”
Microsoft also confirmed that Microsoft Edge is a 64-bit application through and through. Except, of course, if it is running on a 32-bit processor, which are hard to come by nowadays. The browser being 64-bit mean that Windows ASLR (Address Space Layout Randomization) – a security measure that loads code in different locations in memory – is also a lot stronger. Now, hackers trying to inject malicious code into the browsers processes in order to gain control will have to scan a much larger pool of address space to hit their specific memory targets.
Speaking of memory, Microsoft is also doing everything it can to defend against memory corruption attacks in the Microsoft Edge browser. This is where an attacker provides restructured, malformed input to a program which the program doesn’t know how to handle. This corrupts the programs memory state, allowing an attacker to gain access to it. Microsoft will defend against this by using a memory garbage collector called MemGC, Control Flow Guard which is a technology also built into Visual Studio, in addition to taking advantage of the company’s bug bounty program, where Microsoft will offer rewards to hackers that discover and turn in bugs in its software, offering them a legitimate way to make big money (up to $50,000) doing what they do best.
According to Microsoft, security is a process, not a destination. The fact is, software is always vulnerable and there will always be bugs to fix, and holes to patch. As attackers continue to find new ways to steal information, Microsoft is doing everything it can to stay one step ahead.
Further reading: Microsoft, Microsoft Edge, Project Spartan, Security
