When browsing the web, people can choose between a number of browsers.
Each of these browsers offer similar things, but with differences here and there to make each of them unique. After all, being unique is among the ways a browser can compete in an online world dominated by Google and a number of other giant tech companies.
And Microsoft's solution in this business, is using Edge.
The web browser has its own controversies. But put that aside, the browser is extremely capable, thanks to Chromium, the same browser engine powering Google Chrome and many others.
To make itself unique, Microsoft differentiate the browser with a lot of things, including customizing many of its functionalities.
And this time, Microsoft is trying to again differentiate Edge from the competition.
Coming to Edge version 96.0.1054.29, includes a number of new features and improvements. But inside the changelog, Edge is missing something.
And that is the 'Super Duper Secure Mode'.
The news about this mode was first delivered by Microsoft Edge Vulnerability Research Lead Jonathan Norman.
We quietly released Super Duper Secure Mode to stable (96.0.1054.29). Users can now toggle between Balanced and Strict modes. Balanced learns what sites you use often and trusts those, strict is well.. strict :) Users can now add their own exceptions. Still working on WASM pic.twitter.com/EfmooqBuvZ
— Johnathan Norman (@spoofyroot) November 22, 2021
What this Super Duper Secure Mode does, is simply disabling the "Just-in-Time-Compilation" (JIT) engine from the V8 processing pipeline.
V8 is an open source JavaScript engine, developed by the Chromium Project for Google Chrome and Chromium web browser.
JIT engine enables Edge to convert JavaScript into machine code just before it is executed.
In normal operations and normal browsing mode, this results in huge gains in speed and usability.
However, the JIT engine is buggy. And because of that, the engine is not secure.
JavaScript engines are "a remarkably difficult security challenge for browsers," explained Norman, partly because of the use of the JIT engine.
While running the JIT engine can significantly improve performance of web pages, Edge in having to run that engine, is opening its users prone to hacks.
In most cases, browsers keep this engine running because developers and end users want to experience speedy websites.
But Edge doesn't want to think it that way.
Instead of dealing with the JIT engine issues, it is turning it off instead.
But by turning it off, doesn't mean that Edge is turning everything off.
Norman explains Super Duper Secure Mode in more technical details, saying that the mode has two different options: Balanced and Strict.
When using the Balanced option, Edge will add security mitigations to websites that users don't visit as often. In this balanced option, the Super Duper Secure Mode shouldn't affect the performance of most websites.
Things are different when users switch the Super Duper Secure Mode to Strict. Through this option, Edge adds security mitigations on all sites. Because of this, some websites may break or even stop working.
This is due to how the V8 works.
Without the JIT engine, several impactful mitigation technologies do not work during the rendering process.
"By disabling JIT, we can enable both mitigations and make exploitation of security bugs in any renderer process component more difficult,” wrote Norman.
"Balanced learns what sites you use often and trusts those, strict is well.. strict :) Users can now add their own exceptions," said Norman.
Besides disabling the JIT engine, the mode also enables what's called the Control-Flow Enforcement Technology (CET), which is a hardware-based exploit mitigation that provides a more secure browsing experience, as well as other security mitigations.
Microsoft hopes Super Duper Secure Mode will be ”something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers”.
Other things in the queue, MiraclePtr, ACG for the browser process and Renderer process AppContainer. I'm really excited to what impact we have here. Although for it really to matter, we will need SDSM enabled by default. Hrm....
— Johnathan Norman (@spoofyroot) November 22, 2021
According to Norman, when the feature was first announced, the team found that roughly 45% of all security vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine.
The issue was so severe, that it accounted for about half of all 'in the wild' Chrome exploits that abuse JIT bugs.
By disabling JIT, the attack surface should be drastically reduced for Edge users, as the browser simply removes almost half of all V8 bugs being exploited by hackers and alike.
The mode is meant to reduce the attack surface threat actors can exploit when trying to hack into Edge users' systems.
"This reduction in attack surface kills half of the bugs we see in exploits and every remaining bug becomes more difficult to exploit. To put it another way, we lower costs for users but increase costs for attackers," Norman explained.
Microsoft released the Super Duper Secure Mode through build 96.0.1054.29 as part of its regular 4-weekly update cycle.
Besides the Super Duper Secure Mode, the update also brings lots of other additions and improvements.
They include an update to Webview, new PWA features and Quick Links for Office apps,