Thursday, August 26, 2021

Microsoft Edge Testing “Super Duper Secure Mode” To Show It’s Super Serious About Security

Microsoft’s Edge Vulnerability Research team has just released a new feature that’s laser-focused on security, adorably titled “Super Duper Secure Mode”. The experiment aims to make the browser as secure as possible without affecting performance, and will most likely receive a more polished name once it eventually rolls out to the public.

It’s still being tested so you can’t find this feature on the regular version of Edge, rather you’ll have to enable its flag through edge://flags in Canary, Dev, or Beta. Once you enable it, Super Duper Secure Mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline. JIT was introduced way back in 2008 to improve the speed on specific Javascript tasks. The challenge here is removing this engine without it slowing down those tasks, thus making the user experience feel more laggy.

According to the VR team, JavaScript engine bugs are a favourite vulnerability of hackers as they “provide powerful exploit primitives, there is a steady stream of bugs, and exploitation of these bugs often follows a straightforward template.” They listed some of the most common Javascript exploits including Fake an object, Get AddrOf Primitive, and Achieve arbitrary write.


Disabling the JIT engine removes roughly half of the V8 bugs that must be fixed, says Microsoft. This would mean less frequent security updates for users, but how is the performance afterwards? Well, the team’s experiments show that whether JIT is enabled or disabled, users rarely notice a difference in their daily browsing.

Hundreds of performance tests confirmed that disabling JIT made no notable difference, with some factors such as power consumption actually improving slightly. Javascript benchmark scores do take a hit but Microsoft says this difference is negligible for those who are just browsing blogs and social media but users playing online games could possibly notice the decrease in performance.

No comments:

Post a Comment

Quest VR Headsets To No Longer Require A Facebook Account For Login

Meta has recently announced that a Facebook account is no longer needed for Quest VR headset logins. Instead, owners are now required to cre...