This article is more than 1 year old

Microsoft tightens Edge security for less visited websites

We're pretty sure that doesn't mean it's safe to click on sketchy popups

Microsoft wants to make it safer for Edge users to browse and visit unfamiliar websites by automatically applying stronger security settings.

The new feature is part of a number of security updates in version 104.0.1293.47 announced this month that are designed to reduce the risk for the five Edge users users as they move around the internet.

Edge is designed to give users a full browsing experience using technologies like JavaScript, according to Microsoft. "On the other hand, that power can translate to more exposure when you visit a malicious site," the vendor wrote as it outlined the feature. "With enhanced security mode, Microsoft Edge helps reduce the risk of an attack by automatically applying more conservative security settings on unfamiliar sites and adapts over time as you continue to browse."

The enhanced security mode reduces memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and applying more OS protections for the browser, including Hardware-enforced Stack Protection and Arbitrary Code Guard.

"When combined, these changes help provide 'defense in depth' because they make it more difficult than ever before for a malicious site to use an unpatched vulnerability to write to executable memory and attack an end user," the company wrote.

Microsoft a year ago ran an experiment that included disabling JavaScript JIT compilation to open the way for more security protections. Johnathan Norman, principal security engineering manager at Microsoft, wrote in a blog post at the time that "JavaScript engine bugs are a mainstay for attackers for a variety of reasons; they provide powerful exploit primitives, there is a steady stream of bugs, and exploitation of these bugs often follows a straightforward template."

JITs were put into browsers starting 2008 to speed up particular JavaScript tasks by taking loosely typed JavaScript and compiling it to machine code just before it's needed and is useful in making JavaScript perform better. However, such performance and complexity can result in more security bugs and more patches; turning off JIT can help improve security, Norman wrote.

With the enhanced security feature, the Basic security level will be the default when the "Enhance your security on the web" browsing mode – which is optional – is enabled in settings. The Basic setting ensures the user experience on the most popular sites on the web remain intact while adding security mitigations for those sites visited less frequently.

Shifting to the Balanced level will include the new features for such times, while ensuring most of the other sites work as expected. If a user chooses the Strict security level, security features will be added for all sites on the web – those frequently and infrequently visited – and could mean that parts of some sites won't work.

"However, you can still manually add sites to the exception site list and enterprise admin configuration will still apply, if present," Microsoft wrote. "Strict mode isn't appropriate for most end users because it may require some level of configuration for the user to complete their normal tasks."

In addition, enterprise administrators can use Group Policy settings to include "allow" and "deny" lists to enhance the security for their users when visiting certain sites while disabling the mode for others.

Another security feature will enable users to import data from Google Chrome during Edge's First Run Experience – an annoying feature that occurs when users open Edge for the first time and shows a welcome page with information, tips, and recommended actions for improving their experience with the browser – without having Chrome installed.

With the new feature, users can log into their Google account during the First run Experience. The feature can be turned off by disabling First Run Experience with the HideFirstRunExperience policy or by setting AutoImportAtFirstRun to "DisabledAutoImport," Microsoft wrote in its Edge policies pages. ® 

More about


Send us news

Other stories you might like