Microsoft’s Edge Vulnerability Research Team recently published details on a new feature in development called “Super Duper Secure Mode” (SDSM). SDSM is designed to improve security without notable performance losses. To do this, SDSM eliminates JavaScript‘s Just-In-Time (JIT) compilers, which were designed to boost page loading speeds, browser performance, but are notably exploitable by hackers.
How Does It Work?
When enabled, Edge’s SDSM will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface hackers use to hack into Edge users’ devices. According to Common Vulnerabilities and Exposure (CVE) reports accumulated since 2019, “around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, more than half of all ‘in the wild’ Chrome exploits abuse JIT bugs“. According to BleepingComputer, the smaller attack surface gets rid of nearly half of the bugs and in turn, makes remaining bugs more difficult to exploit.
Additionally, many other security features can be enabled with JITs turned off. These include Control Flow Guard (CFG), Control-flow-Enforcement Technology (CET), and Arbitrary Code Guard (ACG). These each add additional security layers to keep users and their data secure.
What To Do?
This new Edge security feature is still in the testing phase, but the Microsoft Edge preview release (including Beta, Dev, and Canary) users can enable this feature by heading to edge://flags/#edge-enable-super-duper-secure-mode and turning on the feature.
The head of the Security Engineering team, Johnathan Norman at Microsoft made a statement on Twitter mentioning the tool is likely to change with many technical challenges to overcome during the process of experimenting with the feature. He also stated the tool won’t be exclusive to Windows devices, they plan to have it available on Macs and Androids in the near future. Norman mentioned they may have to change the name when the feature goes ‘live’, but will continue to have fun with it.
SMB recommendations
It’s a good idea to keep an eye out for this new feature being released along with other web browsers following suit. If you or your company has a patch management solution or automatic updates, you shouldn’t miss the release, however, you will need to enable it. If you’re eager to use this feature, you can head to https://www.microsoftedgeinsider.com/en-us/download/ to install one of the three ‘channels’ to use Edge’s new features that are still being experimented on. Once installed, head to edge://flags/#edge-enable-super-duper-secure-mode when using the channel.
Once enabled, you should test whether enabling this feature breaks any of your critical applications. You can disable this feature when you need to access those critical applications that break when the JIT has been disabled.
Additional SMB Protections from CyberHoot
In addition to enabling this Super Duper Secure Mode feature, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Adopt a patch management solution
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years