Microsoft Edge’s “Super Duper Secure Mode” disables JavaScript for extra security

  • Last updated April 8, 2022
  • written by
    Editor

Developed by Microsoft, Microsoft Edge is a cross-platform web browser. This browser was first released for Windows 10 and Xbox One in 2015, Android and iOS in 2017, Mac in 2019, and Linux in October 2020.

It quickly gained popularity and replaced its predecessor, “Internet Explorer 11,” on Windows 8.1, 2002 R2, Server 2016, and Server 2019. In addition, Microsoft published plans to reconstruct the browser as Chromium-based with Blink and V8 engines.

Today, Microsoft announced that they are going to run an experiment in its Edge web browser. This experiment intentionally disables an important performance and optimization feature to allow for more advanced security upgrades in the Edge Super Duper Secure Mode.

Jonathan Norman, who is the Microsoft Edge’s Vulnerability Research Lead, announced today that “the idea behind the new Super Duper Secure Mode is to disable support for JIT (Just-In-Time) inside V8, the Edge browser’s JavaScript engine.”

JIT, while unfamiliar to most users, performs a pivotal role in web browsers. JIT operates by taking JavaScript and organizing it to machine code. If the browser requires the code, it gains a vital speed boost. In case it doesn’t, the code is then discarded.

However, JIT support in V8 is complicated. Norman said that JIT-related security issues amounted to 45% of all V8 vulnerabilities in 2019 alone. Besides, more than half of the “in the wild” Chrome exploits depend on JIT-related bugs.

Norman further adds that recent tests carried out by the Microsoft Edge team have revealed that despite its crucial role in speeding up browsers, JIT is not a fundamental feature anymore to Edge’s performance.

The Super Duper Secure Mode disables JIT but at the same time enables two other security features called Control-flow-Enforcement Technology (CET) and Arbitrary Code Guard (ACG) — two features that would normally clash with V8’s JIT execution.

Super Duper Secure Mode is currently labeled as an experiment, and there are no plans to ship it to users just yet. However, this feature is already live and available for testing. Users of Edge Canary, Dev, and Beta can go to the following address and enable this feature in their Edge browsers:

edge://flags/#edge-enable-super-duper-secure-mode 

MS-EDGE-SDSM

While it is still uncertain if this technology will be launched as a feature, it is still worth a shot, as per Jonathan Norman. Users can also test this technology and leave valuable feedback for the development team at Microsoft Edge Insider.

Take your browser security to the next level with these tools:


Leave a Reply

Your email address will not be published. Required fields are marked *