Microsoft Edge’s Super Duper Secure Mode addresses Javascript vulnerabilities in a brand new way

Rabia Noureen

Microsoft Edge has started testing a new “Super Duper Secure Mode” that should make browsing more secure by addressing Javascript vulnerabilities within the browser. The feature is currently available for Edge Insiders, and it’s hidden behind an experimental flag in the Canary, Dev, and Beta channels.

Microsoft’s research has revealed that attackers usually target the JavaScript engine called “Just-In-Time (JIT) compilation” to hack web browsers. JIT is basically a complex pipeline of processes used to optimize JavaScript code for performance. Once enabled, the new Super Duper Secure Mode will actually disable the JavaScript just-in-time (JIT) compiler to prevent attackers from hacking into systems of Microsoft Edge users.

With the JIT engine disabled, the Microsoft Edge team enabled additional security features including Control Flow Guard (CFG), Windows’ Arbitrary Code Guard (ACG) as well as Intel’s Control-flow Enforcement Technology (CET). According to Microsoft, JIT had compatibility issues with all these features, and turning off the JavaScript engine should help to provide a more secure browsing experience.

“By disabling JIT, we can enable both mitigations and make exploitation of security bugs in any renderer process component more difficult,” explained Johnathan Norman, Microsoft Edge Vulnerability Research Lead. “This reduction in attack surface kills half of the bugs we see in exploits and every remaining bug becomes more difficult to exploit. To put it another way, we lower costs for users but increase costs for attackers.”

Average Improvement and Regression Chart

If you want to try out Super Duper Secure Mode, you will need to open Microsoft Edge and go to the edge://flags page. Then type “Super Duper Secure Mode” in the search bar, enable this feature, and finally restart the browser.

Super Duper Secure Mode Flag

However, keep in mind that the Super Duper Secure Mode is an experimental feature in Microsoft Edge, and it may break some websites. Norman noted that the company plans to bring this feature to other platforms, including macOS and Android.

In the meantime, Microsoft will keep listening to user feedback to improve this new Super Duper Secure Mode before making it generally available for everyone. “Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers. Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value,” Norman said today.