Internet Explorer has long been decried as the least security browser out there. With IE being deprecated, and with the new focus on the Edge browser in Windows 10, Microsoft plans to change all of that and make its browser one of the most secure around.
In a new blog post, Microsoft presented three main security problems on the Web and how it can use its new browser to protect users against them: trickery (for giving out sensitive information), hacking and memory corruption.
Defending Against Trickery
One of the most common ways for malicious hackers to steal data is to utilize phishing, or in other ways to dupe users into entering their logins and passwords in a fake website that looks like the one they intended to visit.
There are some ways to mitigate these attacks, such as having websites buy certification that shows the company's name in the address bar. This allows users to trust that the address they are visiting is indeed the one they were looking for. However, hackers can sometimes bypass this as well, according to Microsoft.
Microsoft has recently announced Passport, its passwordless authentication for the Web. It allows the user to log in to a website using either a PIN number (which only works with the chip inside your PC or mobile device) or a fingerprint or face scan (through Microsoft's local authentication protocol, Hello).
Microsoft has had the Smartscreen malware protection Web filter since the introduction of Internet Explorer 8. It has now added it to both the Edge browser and the Windows 10 shell. The Smartscreen filters websites that Microsoft knows to be infected. It's a feature that both Chrome and Firefox have had for sometime as well. It's far from a magic bullet, but it adds a necessary layer of extra protection on the Web.
"Certificate Reputation" is a feature Microsoft announced last year for IE11, and an extension of Smartscreen that verifies server certificates for authenticity. When users surf the Web in a browser that supports "Certificate Reputation" and have enabled the Smartscreen filter, Microsoft is fed with data about the sites' certificates. When a new certificate is issued by a different Certificate Authority for a certain website, Microsoft can automatically flag it.
This seems like a good idea because users don't have to do anything to protect themselves against forged certificates, and it's also quite scalable (unlike Google's Chrome certificate pinning, which only works with a handful of websites). The only problem here is that Microsoft may sometimes block the wrong certificates. The company does notify the site's owner about the flagged certificate, so this issue should be mitigated in large part.
Hopefully, we can also see Microsoft join Google and Mozilla in the Certificate Transparency system, as well. CT would just create a cleaner certificate system by default and may even improve the effectiveness of Microsoft's own Certificate Reputation system, because CT would make finding the "bad guys" much easier. Therefore, it should be a complementary rather than competing technology.
Microsoft is committed to leaving all the Internet Explorer cruft behind and start new with strong support for modern Web standards. This should also increase the security of Edge by default, as it simplifies the code, which means there are fewer places in which security holes can exist.
Microsoft also plans to adopt two modern security standards for the Web: the Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS). The CSP allows web developers to whitelist certain types of content that web browsers can load on a given page, which could help prevent the all-too-common cross-site scripting (XSS) attacks.
Defending Against Browser Hacking
No more toolbars, VB scripts or ActiveX
ActiveX has caused many great pains for the Internet Explorer developers, as it has likely been the most abused IE technology in history. The new Edge browser will do away with all the proprietary technologies that have weak security. Instead, Microsoft will adopt an HTML5/JS model for its browser extensions (which the company plans to launch after Windows 10 is released on the market).
Edge lives in a sandbox
Because the Edge browser is actually a store "app" and not a Win32 "program," as Internet Explorer is, that means Edge benefits from all the security features of Windows store apps, such as app sandboxing and cryptographic signing (ensuring the app you want to download has not been tampered with).
Microsoft will not just protect the whole browser with a sandbox, but every single web page will be opened in its own "app container." This could possibly make Edge's sandboxing even stronger than that of Chrome, as Chrome currently puts its pages or extensions in separate processes that aren't as secure as app containers.
Of course, this is because app containers haven't existed until now on Windows, and Google could now adopt them as well. However, Google would probably have to create a "different" Chrome on Windows 10 than the one on previous versions of Windows. With Microsoft wanting to move everyone to Windows 10 as quickly as possible, Google would have no reason to wait for the adoption of this model. The same goes for Mozilla, which has yet to deploy its own multi-process sandboxing model.
Microsoft will make exploiting sensitive memory to attack the Edge browser much more difficult in Windows 10 by installing only a 64-bit version of Edge on all 64-bit capable machines (which should be all new PCs from the past decade or so). The ASLR (Address Space Layout Randomization) protection is exponentially stronger when the app is 64-bit, because the address space is much larger.
Defending Against Memory Corruption
I've recently written about how Microsoft should implement EMET's security features by default in Windows 10. Memory corruption vulnerabilities that happen due to carelessly written C/C++ code are much too common for the status quo to be acceptable. Many attackers use them to craft zero-day exploits and bypass other Windows protections. EMET goes a long way to protect against that class of vulnerabilities.
Microsoft will not quite add EMET by default to Windows 10, but instead it will do what apparently looks like giving a garbage collector to C++ programs. Garbage collectors are used in some languages (such as Java) to protect against many memory corruption bugs. However, that usually comes with a cost in performance, which is why many developers still prefer writing C++ code.
It will be interesting to see if Microsoft's MemGC garbage collector will have a significant impact on performance. If not, then it could be a big benefit to the security of many Windows apps and programs.
Control Flow Guard
The Control Flow Guard is a Visual Studio technology that makes it more difficult for an attacker to take advantage of memory corruption bugs. The technology has already been available for a year, but all of its safety features will work by default in the Edge browser.
Bug bounty program
Microsoft will be offering a "Windows 10 Technical Preview Browser Bug Bounty" program to entice security researchers to find and report bugs from Windows 10 and the Edge browser before Microsoft ships them to its users.
Microsoft seems to be quite committed to "getting it right" with its browser this time, and not fall behind the competition but actually lead the way in some areas. It's good to see that one of those areas is security.