The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Microsoft has shown off a new measure for admins to protect web-browsing users on Chromium-based Edge from zero days, which are previously unknown software flaws.

The latest Edge beta introduces a new browsing mode in Edge “where the security of your browser takes priority”. For admins who fear web-based attacks on desktop systems via the browser, this feature gives them the option to “mitigate unforeseen active zero days”. Enabling this mode can be configured, so that important sites and line-of-business applications “continue to work as expected,” according to Microsoft’s release notes.

The security-focused Edge mode, spotted by Bleeping Computer, brings several Windows exploit mitigation technologies into play, including Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Control Flow Guard (CFG).

Windows 10’s ACG helps thwart web attacks that attempt to load malicious code into memory by ensuring only properly signed code can be mapped into memory.

ACG and CFG were key motivations behind Microsoft’s move last year to introduce Edge Super Duper Secure Mode, which turns off Edge’s Chromium JavaScript just-in-time (JIT) compiler to allow those exploit mitigations, as well as Intel’s Control-flow Enforcement Technology (CET), to work. The JIT compiler is part of the Chromium V8 JavaScript engine’s processing pipeline, but Windows features like ACG were incompatible with JIT compiling.

“This feature is a huge step forward because it lets us mitigate unforeseen active zero days (based on historical trends). When turned on, this feature brings Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Content Flow Guard (CFG) as supporting security mitigations to increase users’ security on the web,” Microsoft explains.

Microsoft quietly enabled Edge Super Duper Secure Mode in the stable release of Edge in November, allowing users to toggle between ‘balanced’ and ‘strict’ modes, depending on how much users trust a given site.

The browser update, version 98.0.1108.23 in the Microsoft Edge beta channel, also adds a custom primary password option. This option adds another layer of privacy and helps prevent unauthorized users from using saved passwords to log on to websites. Custom primary password allows users to use a custom string of their choice as their primary password. After it’s enabled, users will enter this password to authenticate themselves and have their saved passwords auto-filled into web forms.