News

Two Years After IE Switch, Microsoft Talks Edge Browser Progress

• By Kurt Mackie
• September 14, 2017

Microsoft gave a progress report of its Edge browser, including new security and development improvements, at its third-annual Edge Web Summit event in Seattle this week.

It's been about two years since Microsoft decided to ditch its Internet Explorer browser development efforts and focus on Microsoft Edge, noted Charles Morris, a Microsoft Edge team lead, during the kickoff talk. The idea was to create a "modern browser" for the interoperable Web.

Microsoft Edge is currently used on 330 million active devices monthly, a figure that has "more than doubled" since last year, Morris said. While 330 million may sound like a lot, in the overall browser horse-race scheme of things, Microsoft Edge currently has just a 3.7 percent use rate, based on the U.S. government's Digital Analytics Program stats. That program just tracks U.S. government Web site visits, mostly within the United States. According to those stats, the Google Chrome browser tops the list at 44.6 percent of visits, followed by Safari (27.6 percent), Internet Explorer (13.7 percent) and Firefox (6.2 percent).

Progress
The Microsoft Edge team really wants people to try Microsoft Edge, and they've been listening to feedback via the Windows Insider program and the Windows 10 feedback hub. As a consequence, Microsoft Edge will be getting the following new capabilities:

• The ability to edit a Favorites URL, which will be arriving with the Windows 10 "fall creators update."
• The ability to drag and drop URLs from the Address Bar to save them in Favorites.
• The ability to select just the end portion of a URL in the Address Bar (which sometimes jiggles out of reach)

Overall, the team has produced 82 patch updates throughout the Edge browser's two-year lifespan, and has shipped 75 Windows Insider previews during that time. Microsoft has contributed more than 75 new Web standards as well in that period.

The browser's overall HTML5 test score has jumped over 100 points from when Microsoft Edge first shipped and now stands at 476. Its speedometer benchmark is 2.5 times greater, and its HTML5 accessibility score is at 100 percent, according to Morris.

EdgeHTML is the browser's "engine." Browsers currently are using EdgeHTML 15, which was released on April 5, 2017. The next engine, EdgeHTML 16, will be arriving on Oct. 17, 2017, according to Morris.

Microsoft has increased the number of extensions supported by the Edge browser. Currently, 64 extensions are supported, per the Microsoft Store's count. Microsoft intentionally started out with just a small set of 13 extensions because of the security and reliability issues associated with them, Morris said.

Goals for Microsoft Edge
Microsoft's priorities heading into Year 3 for the Edge browser are centering on the fundamentals, such as performance, security, reliability, accessibility and efficiency. Its specific plans for browser features are shown at this "Platform Status" page.

Microsoft is committed to make "progressive Web apps" a "first-class citizen on Windows," according to Morris. He noted that Google has already pioneered progressive Web apps support on the Android operating system platform. Microsoft also wants to improve dev tools for Microsoft Edge as a top priority. It plans to continue its support for Web interoperability and new standards, he added.

Morris announced news during the event that Microsoft is supporting a new tool for Web developers at the beta stage called "sonar." It's a linting tool for the Web, helping developers to find suspect code.

Microsoft is also collaborating with Mozilla to support the MDN Web docs support portal (formerly known as the "Mozilla Developer Network"), as a single resource for Web developers, Morris said. This partnership has already kicked off, and Microsoft's tech writing team has already contributed more than 5,000 edits to MDN web docs, he added.

Microsoft also launched a site to provide Web APIs for developers, which can be accessed at this page. Microsoft additionally provides Linux Bash support on Windows 10 via Windows Subsystem for Linux, Morris noted.

Microsoft supports developers who aren't using Windows. They can test the Microsoft Edge browser using a virtual machine environment, which can be downloaded here. However, the download can be a big one, and so Microsoft also has established a partnership with BrowserStack, which permits Edge browser testing using BrowserStack's virtual machines. On Wednesday, Microsoft announced that testing Microsoft Edge on BrowserStack's virtual machines is free. It doesn't require a download. Details on the free virtual machine access can be found at this page.

BrowserStack's virtual machines support mobile and browser testing, with debug tools. It works with all frameworks and integration tools, with support for more than 1,200 browser and device combinations.

Security Improvements
Microsoft had set out to ship the most secure browser with Microsoft Edge, according to a presentation during the event by Nathan Starr, who is part of the Microsoft Edge security team. However, it's hard to do that because of the code churn associated with the Web, he said. Attackers are well funded, with some getting support from nation states, or they are motivated by financial gains.

Microsoft's response was to create its "Four Guards" strategies to protect Microsoft Edge, namely:

• Code Integrity Guard
• Arbitrary Code Guard
• Control Flow Guard and
• The "Fourth Guard" (a placeholder name for now)

Code Integrity Guard and Arbitrary Code Guard are designed to prevent attacks from disks. Control Flow Guard and the Fourth Guard are designed to prevent attacks from memory.

Starr explained that attackers may try to get the browser to crash in order to load their own code in an "arbitrary native code execution" type of attack. Microsoft's Code Integrity Guard feature protects against such attacks. The Windows memory manager looks to see if the code is properly signed. If so, it's permitted to load. However, if the code is not properly signed, it'll get blocked.

Attackers also attempt to create their own tab space within the browser to load code. Microsoft created Arbitrary Code Guard to address that kind of attack. It will deny the creation of dynamic code but it doesn't that break things like JavaScript or Microsoft's Chakra JavaScript engine, Starr explained. Microsoft worked with AMD and Nvidia so that graphics drivers are aware of the Arbitrary Code Guard security feature, he added.

Attackers also try redirection to their servers using "return-oriented programming" types of attacks. They carry out such attacks by either corrupting a function pointer or corrupting a return address.

To protect against function pointers, Microsoft created Control Flow Guard. It records and stores all indirect function calls that happen in the code. It also informs the operating system where the indirect calls occur, and maps them. If an indirect call is known, the process will continue to run. If it's not known, it'll get halted. The OS shuts down the browser and prevents the jump to the attacker's code, Starr explained.

Starr said it's a more difficult problem to solve when attackers attempt to corrupt the return address. He said that Microsoft has been working with Intel to build a hardware solution that will prevent return addresses from getting corrupted, and that the Microsoft Edge browser will support it when available. Return addresses will get protected via a new "shadow stack" capability, which Starr didn't describe.

Overall, Microsoft sees these security mitigations as being very disruptive to attackers. Starr noted that more and more remote code execution flaws are getting exposed, but the actual exploit rates are going down because of these protections.

Microsoft had a whole lot more to say during the summit event. The roster of talks can be found at this page.