Microsoft Announces 'Super Duper Secure Mode' for Edge (therecord.media) 51
Microsoft said this week it plans to run an experiment in its Edge web browser where it will intentionally disable an important performance and optimization feature in order to enable more advanced security upgrades in what the company is calling Edge Super Duper Secure Mode. From a report: Announced today by Johnathan Norman, Microsoft Edge Vulnerability Research Lead, the idea behind the new Super Duper Secure Mode is to disable support for JIT (Just-In-Time) inside V8, the Edge browser's JavaScript engine. JIT, while unknown to most end-users, plays a crucial role in all of today's web browsers. JIT works by taking JavaScript and compiling it to machine code ahead of time. If the browser needs the code, it gains a significant speed boost. If it doesn't, the code is discarded.
However, JIT support in V8 is complex. Norman said JIT-related security issues amounted to 45% of all V8 vulnerabilities in 2019. Furthermore, more than half of the "in the wild" Chrome exploits rely on JIT-related bugs. Norman said that recent tests carried out by the Edge team have shown that despite its pivotal role in speeding up browsers in the early and mid-2010s, JIT is not a crucial feature anymore to Edge's performance.
However, JIT support in V8 is complex. Norman said JIT-related security issues amounted to 45% of all V8 vulnerabilities in 2019. Furthermore, more than half of the "in the wild" Chrome exploits rely on JIT-related bugs. Norman said that recent tests carried out by the Edge team have shown that despite its pivotal role in speeding up browsers in the early and mid-2010s, JIT is not a crucial feature anymore to Edge's performance.
windows server default for IE that is next to usel (Score:2)
windows server default for IE that is next to useless?
Re: (Score:1)
I couldn't decide if I should mod this funny or insightful; or maybe even troll. You made me laugh anyway.
Re: (Score:2)
but it even blocked stuff in the MMC and other build in control panels
Do I need a secret decoder ring for this? (Score:2)
Bromite (Score:2)
Huh? (Score:2)
Will it be even more secure than ActiveX? (Score:1)
Of course you could have mega super secure (Score:2)
if you block javascript/ads/trackers.
and if you're on windows, you should probably use a "good" AV.
Why Use a Browser-War Combatant's Tool? (Score:1)
Re: (Score:2)
Google, Oracle, and MS are fighting over who gets to break the internet.
Re:Why Use a Browser-War Combatant's Tool? (Score:4, Insightful)
What do you mean "fighting"? Google won the war to break the internet about 10 years ago when it hijacked web standards away from W3C using WHATWG in combination with it's sock puppet, Mozilla which it pays to do that roll to the tune of billions of dollars.
Google now owns the rendering engine, web standards, the committee and people responsible for web standards, and defacto owns the only real competition, Mozilla, because it's made Mozilla financially dependent on it. That's why even Microsoft had to use Chromium, because Google did what Microsoft couldn't - it took over the web and forced everyone else to accept it's way or the highway.
That's why I don't really understand what the GP is on about, he's complaining that Microsoft failed to take over the web 20 years ago and saying you shouldn't trust their browser, most likely using a browser that's either Google's, or financially dependent on Google and so always stands with Google.
It's like pointing out the window at your shifty neighbour saying he might break into your house and steal your shit one day whilst an entire mob of actual robbers are working away all around you carrying all your stuff into their getaway vehicle.
Re: (Score:1)
Google, Oracle, and MS are fighting over who gets to break the internet.
But it's Cloudflare and Akamai that can actually do it.
V8 is a beast of a machine (Score:3)
With Sparkplug, Ignition, Turbofan, and Turboprop as V8's interpreters/JIT engines, and having them interact and giving type feed backs between them for optimization and de-optimization, V8 exchanges speed for incredible amount of complexity.
Just stop using Javascript (Score:3)
Re: (Score:3)
Without that, the web is mostly back to static pages of text.
A lot of functionality moves back into desktop applications, and desktops still don't have the right security model to deal with modern threats.
https://xkcd.com/1200/ [xkcd.com]
So in the end, things will get worse because you don't even need to exploit anything anymore. You can do pretty much anything you want, except for installing drivers.
Re:Just stop using Javascript (Score:5, Insightful)
Without that, the web is mostly back to static pages of text.
You say that as if it's a bad thing.
Re: (Score:1)
That would be horrible! You don't remember the horror.
If you think JavaScript abuse is bad now, you should have seen the monstrosities people came up with to build applications out of the old, mostly static, web. I remember the hell of nested tables that bogged down the network, the server, and the local machine as every action triggered 500k download of barely passable html, all to add some red text with a vague message about an incorrectly completed field which you better remember because it didn't repo
Re: (Score:2)
Without that, the web is mostly back to static pages of text.
You say that as if it's a bad thing.
Oh this...
I long for the days where the marquee tag was the worst code you'd get on a website, barring that a poorly sized pane.
Now we get intrusive menus, hidden menus, popups, pop unders, pop reach-arounds, sign up for my fucking mailing list, hidden menus, unstoppable animations and videos that have hideous audio... And that is just the content... You've web developers who never code for anything but mobile... so the website uses about 1/4 of my 27" 4K monitor and that isn't even a high end monitor
Re: (Score:3)
Re: (Score:1)
There are plenty of very simple frameworks. E.g:
https://vuejs.org/ [vuejs.org]
https://backbonejs.org/ [backbonejs.org]
Re:Just stop using Javascript (Score:5, Insightful)
Re: Just stop using Javascript (Score:1)
Re: (Score:1)
That's the fault of idiots who use these stupid frameworks instead of just writing things themselves.
HTML5, JS, and CSS are more than capable of meeting the needs of today's web applications. Frameworks mostly just get in the way.
You're right. They're bloated, slow, and end users hate the results. But far worse than all that is the don't actually add any value! Most of them make developing web applications *more* complicated, not less! It's insane to me that anyone would use these things!
Re: (Score:2)
Re: (Score:2)
That would be, you know, pragmatic and rational. Hence it has zero chance to get implemented.
Re: (Score:2)
Nothing is stopping a web application developer from implementing "don't use JavaScript". It is supported by all browsers.
Although I guess that requirements from stakeholders will include things that make "don't use JS" quite unpragmatic.
Re: (Score:2)
It's not up to me, you asshat. If people block JavaScript, the obvious answer is to generate content using JavaScript from the same origin as your advertising, so you either get content and adverts, or neither.
I can't reprogram those websites, and you can't either.
Web page generation can absolutely be done by anyone, using simple markup, and fed through some sort of generation like wikipedia or some other content management system, with JavaScript as the delivery mechanism.
It's like you don't know anything
Re: (Score:2)
Asshat?
"It's like you don't know anything about the modern web."
This is an example of what people mean when they refer to social media being toxic.
As a matter of fact, I know a lot about the modern web, and have written many acclaimed IT books, have built lots of big and complex software - including Internet-based software - and was a CTO of a successful tech startup. You have made incorrect assumptions about my point. But I am not going to discuss this with someone who behaves the way you do.
Re: (Score:2)
"Here's an idea: just stop using web frameworks that use Javascript."
That was your point, quoted verbatim. In case it's not obvious, you can write books and be a CTO and have Morgan Fairchild as a wife, but you can't make people stop using JavaScript frameworks. It's not remotely possible, and most folks just learn a JavaScript framework and call it web development, that's the modern way.
You're wrong and need to either re-think your assumptions or learn how to communicate.
Re: (Score:2)
No complaints about browser security (Score:2)
Even if it is a silly name, anything to advance browser security is a good thing to have.
What is a concept that seems to be lost in the shuffle is that browsers are operating systems and applications all in one. Any web page viewed needs to be considered untrusted, potentially hostile code, with defense in depth being the best (and only) way to deal with this.
Sometimes I wonder if someone should make an app that runs on a Raspberry Pi or external computer, runs the web browser under that, and just renders
NoScript (Score:2)
Can't this be done with NoScript, but with more user control?
Super Duper secure mode (Score:2)
When I think super Duper Security, I ALWAYS think Microsoft!
Then I laugh, and laugh. Thanks for announcing this today MS, I needed a good laugh.
The problem (Score:3, Informative)
MS has no sense of humor (Score:2)
They should have labeled it Double Secret Probationary Mode.
Re: (Score:2)
They should have labeled it Double Secret Probationary Mode.
Poll: How may people, and what demographic, would think that's about getting "probed"?
[Asking for a friend who hasn't seen Animal House.]
Re: (Score:2)
I came here to see how far I needed to scroll to find a "double secret probation" joke. Not far.
This site looks best... (Score:2)
Alternative (Score:2)
What is next? (Score:1)
Secure Edge (Score:3)
The best (if not only) way to secure Edge is to uninstall it.
45% of Vulnerabilities found in JIT (Score:2, Flamebait)
and the other 55% exist in JavaScript.
So "doing away with the JIT" will fix 45% of the problem.
Eliminating JavaScript completely will fix 100% of the problem.
Why is not JavaScript (and all remote executable code) being eliminated?
Clearly these microsofties are idiots (and it is not their flaccid penises that are the problem -- it is their tiny brains).
Re: (Score:1)
Indeed. But MS "developers" get a lot of their illusion of being superior from ignoring the rest of the world. "Tiny brains" is spot-on.
Re: (Score:2)
Don't blame the browser developers. The person who would suggest to remove JS support from Edge for Super Duper Extra Whopper Security would be laughed out of the room even here on /...
Why is not JavaScript (and all remote executable code) being eliminated?
I believe that the boring answer is that an overwhelming majority of the users want the goodies that it brings, and aren't bothered enough or at all by the downsides.
Meanwhile, it provides advantages to the suppliers (user functionality, multi-platform deployment, tracking, ...) without any major disadvantages, so they have e
Re: Super Duper? (Score:1)
Hahahahahahaha (Score:3, Funny)
Microsoft and good security? That will never happen. They have proven time and again that they cannot do it.
Gee wiz... (Score:2)