Microsoft Launches JIT-Free 'Super Duper Secure Mode' Edge Browser Experiment | SecurityWeek.Com

Security engineers at Microsoft plan to rip out a key performance feature from the Edge browser in an experiment to better measure the tradeoffs between security, optimization and performance.

The plan is to create a provocatively named “Super Duper Secure Mode” in Edge that deliberately disables support for the browser’s JavaScript JIT (Just-in-Time) compiler while adding a major anti-exploitation roadblock from Intel Corp.

The new SDSM test -- available in Edge preview builds for select users -- essentially rips out JIT, a feature that makes browsers run faster but data shows that these components introduce attack surfaces that have already been exploited in malware campaigns.

According to Microsoft’s Johnathan Norman, browser makers have traditionally been willing to absorb the security cost to ship “fast” browsers but by disabling JIT from Edge, there is a significant attack surface reduction that could significantly improve user security.

"[Removing JIT] would remove roughly half of the V8 bugs that must be fixed. For users, this means less frequent security updates and fewer emergency patches required. These updates and patches are common points of frustration for our customers, particularly those in large enterprise environments who must test updates before rolling them out," Norman said in a note explaining the experiment.

Leave a Comment