Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

More fun in the sandbox: Experts praise security improvements to Edge

Time will tell if Microsoft's browser is less ez2pwn

Security watchers have reacted positively to recently announced improvements to Microsoft's Edge browser, which had earned an unenviable reputation for easy pwnage.

Redmond is reducing its exposure to malicious exploits by improving Edge's sandboxing technology. Further features have been added to existing technologies like ACG (Arbitrary Code Guard) and CIG (Code Integrity Guard) to prevent remote code execution.

ACG1 and CIG2 are designed to make it harder for hackers to load malicious code into memory. Edge omits support for the ActiveX or Browser Helper Objects technologies of Internet Explorer so it is able to run entirely inside app container sandboxes at all times. The improved defences are designed to better guard against so-called drive-by download attacks.

The security revamp focuses on reducing the attack surface of the software. To this end, Microsoft's app containers have been redesigned to reduce the amount of code in the sandbox. Developers have also incorporated less privileged and custom-crafted app containers in order to make life harder for potential hackers.

"We will continue to invest in both RCE and sandbox mitigations for Microsoft Edge," said senior program manager Crispin Cowan. "These exploit mitigations combined with the strengthened sandboxing should make Microsoft Edge significantly more work for attackers to exploit, and thus discourage attackers from trying in the first place."

Microsoft Edge app container model [Source: Microsoft]

The changes are welcome not least because Microsoft Edge was the most-hacked browser at the recent Pwn2Own event. The weak security issues extend into the real world beyond the high-profile hacker event. For example, Google Project Zero has uncovered a number of security flaws with previous iterations of the browser, most recently an unpatched Microsoft Edge and IE vulnerability (CVE-2017-0037) last month.

Despite its previously lacklustre reputation, experts are by no means down on Microsoft's browser technology. Several are positive about Microsoft's security roadmap.

Marco Cova, senior security researcher at malware detection firm Lastline, commented: "Microsoft is definitely on the right track here. Reducing the privileged operations available to untrusted code and containing it in sandboxes so that exploits are harder to pull off successfully are the two best ways we know to build secure systems.

"It sounds like a great engineering feat on their part. Of course, the devil is in the details of how they actually implemented these mechanisms, and I'm sure quite a few people will be testing them extensively in the near future."

Security consultant Kevin Beaumont‏ is also upbeat about Edge. "Microsoft Edge is actually a great browser for corp use and some of the upcoming security features are killer," he said in a Twitter update.

Microsoft Edge features in the Creators Update of Windows 10, a broader operating system update covered in more depth here. ®

1ACG is meant to ensure code cannot be dynamically generated or modified

2CIG is designed so that only properly signed images can load

Similar topics

TIP US OFF

Send us news


Other stories you might like