Microsoft’s Edge Vulnerability Research Team recently published details on a new feature in development called “Super Duper Secure Mode” (SDSM). SDSM is designed to improve security without notable performance losses. To do this, SDSM eliminates JavaScript‘s Just-In-Time (JIT) compilers, which were designed to boost page loading speeds, browser performance, but are notably exploitable by hackers.
How Does It Work?
When enabled, Edge’s SDSM will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface hackers use to hack into Edge users’ devices. According to Common Vulnerabilities and Exposure (CVE) reports accumulated since 2019, “around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, more than half of all ‘in the wild’ Chrome exploits abuse JIT bugs“. According to BleepingComputer, the smaller attack surface gets rid of nearly half of the bugs and in turn, makes remaining bugs more difficult to exploit.
Additionally, many other security features can be enabled with JITs turned off. These include Control Flow Guard (CFG), Control-flow-Enforcement Technology (CET), and Arbitrary Code Guard (ACG). These each add additional security layers to keep users and their data secure.
This new Edge security feature is still in the testing phase, but the Microsoft Edge preview release (including Beta, Dev, and Canary) users can enable this feature by heading to edge://flags/#edge-enable-super-duper-secure-mode and turning on the feature.
The head of the Security Engineering team, Johnathan Norman at Microsoft made a statement on Twitter mentioning the tool is likely to change with many technical challenges to overcome during the process of experimenting with the feature. He also stated the tool won’t be exclusive to Windows devices, they plan to have it available on Macs and Androids in the near future. Norman mentioned they may have to change the name when the feature goes ‘live’, but will continue to have fun with it.
SMB recommendations
It’s a good idea to keep an eye out for this new feature being released along with other web browsers following suit. If you or your company has a patch management solution or automatic updates, you shouldn’t miss the release, however, you will need to enable it. If you’re eager to use this feature, you can head to https://www.microsoftedgeinsider.com/en-us/download/ to install one of the three ‘channels’ to use Edge’s new features that are still being experimented on. Once installed, head to edge://flags/#edge-enable-super-duper-secure-mode when using the channel.
Once enabled, you should test whether enabling this feature breaks any of your critical applications. You can disable this feature when you need to access those critical applications that break when the JIT has been disabled.
In addition to enabling this Super Duper Secure Mode feature, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
Sources:
Additional Readings:
Microsoft Edge’s ‘Super Duper Secure Mode’ Does What It Says
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read moreA recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.