Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Security IT Technology

Microsoft Announces 'Super Duper Secure Mode' for Edge (therecord.media) 51

Microsoft said this week it plans to run an experiment in its Edge web browser where it will intentionally disable an important performance and optimization feature in order to enable more advanced security upgrades in what the company is calling Edge Super Duper Secure Mode. From a report: Announced today by Johnathan Norman, Microsoft Edge Vulnerability Research Lead, the idea behind the new Super Duper Secure Mode is to disable support for JIT (Just-In-Time) inside V8, the Edge browser's JavaScript engine. JIT, while unknown to most end-users, plays a crucial role in all of today's web browsers. JIT works by taking JavaScript and compiling it to machine code ahead of time. If the browser needs the code, it gains a significant speed boost. If it doesn't, the code is discarded.

However, JIT support in V8 is complex. Norman said JIT-related security issues amounted to 45% of all V8 vulnerabilities in 2019. Furthermore, more than half of the "in the wild" Chrome exploits rely on JIT-related bugs. Norman said that recent tests carried out by the Edge team have shown that despite its pivotal role in speeding up browsers in the early and mid-2010s, JIT is not a crucial feature anymore to Edge's performance.

This discussion has been archived. No new comments can be posted.

Microsoft Announces 'Super Duper Secure Mode' for Edge

Comments Filter:
  • windows server default for IE that is next to useless?

  • I knew collecting them from those cereal boxes would pay off someday.
    • by emil ( 695 )
      No, you do not. You need the Bromite fork of Chromium, which offers you the option to "Disable JIT: Improve security at the expense of performance by not compiling JavaScript to native code (requires browser restart)."
  • It sounds like some executive got a little drunk while watching Captain Planet or something.
  • and will it be in an even more secure "container"? The name instills high hopes in me...
  • if you block javascript/ads/trackers.

    and if you're on windows, you should probably use a "good" AV.

  • Microsoft was one of the companies that almost destroyed the internet for everyone. Make your browser choices wisely.
    • by Tablizer ( 95088 )

      Google, Oracle, and MS are fighting over who gets to break the internet.

      • by Anonymous Coward on Thursday August 05, 2021 @04:56PM (#61661059)

        What do you mean "fighting"? Google won the war to break the internet about 10 years ago when it hijacked web standards away from W3C using WHATWG in combination with it's sock puppet, Mozilla which it pays to do that roll to the tune of billions of dollars.

        Google now owns the rendering engine, web standards, the committee and people responsible for web standards, and defacto owns the only real competition, Mozilla, because it's made Mozilla financially dependent on it. That's why even Microsoft had to use Chromium, because Google did what Microsoft couldn't - it took over the web and forced everyone else to accept it's way or the highway.

        That's why I don't really understand what the GP is on about, he's complaining that Microsoft failed to take over the web 20 years ago and saying you shouldn't trust their browser, most likely using a browser that's either Google's, or financially dependent on Google and so always stands with Google.

        It's like pointing out the window at your shifty neighbour saying he might break into your house and steal your shit one day whilst an entire mob of actual robbers are working away all around you carrying all your stuff into their getaway vehicle.

      • Google, Oracle, and MS are fighting over who gets to break the internet.

        But it's Cloudflare and Akamai that can actually do it.

  • by guardiangod ( 880192 ) on Thursday August 05, 2021 @02:07PM (#61660267)

    With Sparkplug, Ignition, Turbofan, and Turboprop as V8's interpreters/JIT engines, and having them interact and giving type feed backs between them for optimization and de-optimization, V8 exchanges speed for incredible amount of complexity.

  • by cjonslashdot ( 904508 ) on Thursday August 05, 2021 @02:08PM (#61660275)
    Here's an idea: just stop using web frameworks that use Javascript. It is not needed. Web pages were not supposed to be created by programmers - the WHOLE POINT was that they could be created by anyone, using simple markup.
    • by vadim_t ( 324782 )

      Without that, the web is mostly back to static pages of text.

      A lot of functionality moves back into desktop applications, and desktops still don't have the right security model to deal with modern threats.

      https://xkcd.com/1200/ [xkcd.com]

      So in the end, things will get worse because you don't even need to exploit anything anymore. You can do pretty much anything you want, except for installing drivers.

      • by XXongo ( 3986865 ) on Thursday August 05, 2021 @03:02PM (#61660621) Homepage

        Without that, the web is mostly back to static pages of text.

        You say that as if it's a bad thing.

        • by Anonymous Coward

          That would be horrible! You don't remember the horror.

          If you think JavaScript abuse is bad now, you should have seen the monstrosities people came up with to build applications out of the old, mostly static, web. I remember the hell of nested tables that bogged down the network, the server, and the local machine as every action triggered 500k download of barely passable html, all to add some red text with a vague message about an incorrectly completed field which you better remember because it didn't repo

        • by mjwx ( 966435 )

          Without that, the web is mostly back to static pages of text.

          You say that as if it's a bad thing.

          Oh this...

          I long for the days where the marquee tag was the worst code you'd get on a website, barring that a poorly sized pane.

          Now we get intrusive menus, hidden menus, popups, pop unders, pop reach-arounds, sign up for my fucking mailing list, hidden menus, unstoppable animations and videos that have hideous audio... And that is just the content... You've web developers who never code for anything but mobile... so the website uses about 1/4 of my 27" 4K monitor and that isn't even a high end monitor

      • Yes vadim, but it is not either/or. Most websites are fundamentally static. If a site needs to be an app - then use Javascript, because that is what a programming language is for. But if the site is really just content, then don't use Javascript. It is not worth the complexity, insecurity (Javascript is an extremely common attack vector with a large attack surface), slowness, and bloat. And the biggest problem with the Javascript frameworks is that if someone just wants to create static pages with the frame
    • I agree with this idea. JS has become overly complex, with all the frameworks and most websites have an insane amount of unnecessary JS code.
      • by Anonymous Coward

        That's the fault of idiots who use these stupid frameworks instead of just writing things themselves.

        HTML5, JS, and CSS are more than capable of meeting the needs of today's web applications. Frameworks mostly just get in the way.

        You're right. They're bloated, slow, and end users hate the results. But far worse than all that is the don't actually add any value! Most of them make developing web applications *more* complicated, not less! It's insane to me that anyone would use these things!

        • Absolutely. F'ing hate frameworks. Junior devs go like - "Hey! I can get all this functionality for FREE. Add ALL the frameworks"
    • by gweihir ( 88907 )

      That would be, you know, pragmatic and rational. Hence it has zero chance to get implemented.

      • Nothing is stopping a web application developer from implementing "don't use JavaScript". It is supported by all browsers.

        Although I guess that requirements from stakeholders will include things that make "don't use JS" quite unpragmatic.

    • It's not up to me, you asshat. If people block JavaScript, the obvious answer is to generate content using JavaScript from the same origin as your advertising, so you either get content and adverts, or neither.

      I can't reprogram those websites, and you can't either.

      Web page generation can absolutely be done by anyone, using simple markup, and fed through some sort of generation like wikipedia or some other content management system, with JavaScript as the delivery mechanism.

      It's like you don't know anything

      • Asshat?

        "It's like you don't know anything about the modern web."

        This is an example of what people mean when they refer to social media being toxic.

        As a matter of fact, I know a lot about the modern web, and have written many acclaimed IT books, have built lots of big and complex software - including Internet-based software - and was a CTO of a successful tech startup. You have made incorrect assumptions about my point. But I am not going to discuss this with someone who behaves the way you do.

        • "Here's an idea: just stop using web frameworks that use Javascript."

          That was your point, quoted verbatim. In case it's not obvious, you can write books and be a CTO and have Morgan Fairchild as a wife, but you can't make people stop using JavaScript frameworks. It's not remotely possible, and most folks just learn a JavaScript framework and call it web development, that's the modern way.

          You're wrong and need to either re-think your assumptions or learn how to communicate.

  • Even if it is a silly name, anything to advance browser security is a good thing to have.

    What is a concept that seems to be lost in the shuffle is that browsers are operating systems and applications all in one. Any web page viewed needs to be considered untrusted, potentially hostile code, with defense in depth being the best (and only) way to deal with this.

    Sometimes I wonder if someone should make an app that runs on a Raspberry Pi or external computer, runs the web browser under that, and just renders

  • Can't this be done with NoScript, but with more user control?

  • About bloody time.
    When I think super Duper Security, I ALWAYS think Microsoft!
    Then I laugh, and laugh. Thanks for announcing this today MS, I needed a good laugh.
  • The problem (Score:3, Informative)

    by cygnusvis ( 6168614 ) on Thursday August 05, 2021 @02:29PM (#61660409)
    Websites are bloated.
  • They should have labeled it Double Secret Probationary Mode.

    • They should have labeled it Double Secret Probationary Mode.

      Poll: How may people, and what demographic, would think that's about getting "probed"?

      [Asking for a friend who hasn't seen Animal House.]

    • I came here to see how far I needed to scroll to find a "double secret probation" joke. Not far.

  • This site looks best when rendered in Internet Explore 4.0...Gawd, I love those days.
  • I don't use Edge so it's pretty secure as-is.
  • "Ludicrous" speed? :-/
  • by Retired ICS ( 6159680 ) on Thursday August 05, 2021 @05:33PM (#61661209)

    The best (if not only) way to secure Edge is to uninstall it.

  • and the other 55% exist in JavaScript.

    So "doing away with the JIT" will fix 45% of the problem.
    Eliminating JavaScript completely will fix 100% of the problem.

    Why is not JavaScript (and all remote executable code) being eliminated?

    Clearly these microsofties are idiots (and it is not their flaccid penises that are the problem -- it is their tiny brains).

    • by gweihir ( 88907 )

      Indeed. But MS "developers" get a lot of their illusion of being superior from ignoring the rest of the world. "Tiny brains" is spot-on.

    • Don't blame the browser developers. The person who would suggest to remove JS support from Edge for Super Duper Extra Whopper Security would be laughed out of the room even here on /...

      Why is not JavaScript (and all remote executable code) being eliminated?

      I believe that the boring answer is that an overwhelming majority of the users want the goodies that it brings, and aren't bothered enough or at all by the downsides.

      Meanwhile, it provides advantages to the suppliers (user functionality, multi-platform deployment, tracking, ...) without any major disadvantages, so they have e

  • by gweihir ( 88907 ) on Thursday August 05, 2021 @08:12PM (#61661853)

    Microsoft and good security? That will never happen. They have proven time and again that they cannot do it.

  • When do they announce the Max 330 Mega Pro-Gear spec?

"It might help if we ran the MBA's out of Washington." -- Admiral Grace Hopper

Working...