"I want to support MS, I’m a development partner. But I feel like you guys spend way too much time thinking about how to push intrusive ad’s into the OS and trying to get easy ad-based revenue from your browser: Talking very good security talk but not walking a very good security walk."
The commenter also makes a comment about how Chrome the older browser was found to be much more secure than Edge the newer one. And then a bunch of technical stuff from someone responding to it (the respondent is not the person writing the article).
Am I the only one who feels MSFT would simply be better off not writing these articles at all if they don't particularly care for engaging with their audience?
Oh, and you can't leave a comment without signing in with a Microsoft account. :-)
The "proprietary" codec support is open source but disabled by default in a Chromium build unless you pass proprietary_codecs=1. Why? Patents. AFAIK, Google pays for a license from the patent holders to decode the codecs within Chrome, but not an open-ended license for anyone using the source code. This is not their fault and no different from how many Linux distros don't include MP3 decoding by default. (Incidentally, the last MP3 patent is set to expire at the end of this year…)
Edge is closed source. You have no way of verifying the build of Chakra used is the same as the open source version. Well it might be possible to reproduce a build of Chakra to do a binary comparison but i am not aware of anyone doing it.
Your site may be self-selecting for people who don't use Edge somehow. Our session count on a site geared for the average person puts Edge closer to 13%:
Maybe your site is visited from these "enterprise" computers where people are forced to use the default browser. Or you can assume the lack of tech knowledge about people who use IE/Edge by will.
Is the AC Access Scope whitelisting described in the article available to all UWP apps in the Creators Update?
I understand it was added specifically for Edge sandboxing, but it sounds like useful functionality (albeit niche) for other apps that deal with untrusted data routinely.
PS - In terms of technology and standards Edge is a pretty solid browser. I love the Dark theme.
On the subject of the actual content of the article, it was a really interesting read. I would like to hear more about how they profiled or "tuned" the app containers for API access. That might be really useful for other devs.
It's nice that they're investing in this. I just wish Edge didn't suck. I have tried using it as my primary browser and it's just not there. It crashes, trying to move tabs around is a pain, sometimes it just isn't performant.
It opens web pages very fast, there's that. But, alas, everything else just feels sluggish. In my crazy high-end system, it takes a second for the menu to show up after right clicking the address bar.
What I want is IE's rendering speed with Chrome's UI and Firefox's extensibility (the good old system, not the new one).
Yeah, the rendering engine is pretty good (although you can still sometimes hit corner cases where it doesn't work very well). Honestly, I think a lot of the problem isn't Edge, it's the whole Universal Windows Platform. It just feels like it's not fully cooked yet for apps that are as sophisticated as a modern web browser.
When Edge was released, it was quite awful. GUI itself didn't work properly when resizing etc. However the last few releases is has become usable.
One interesting thing is that Edge feels more sluggish compared to other browsers on a fast system, but performs well on a slow system compared to other browsers.
One huge annoyance with Edge is that it's spelling tool follows the OS language, hard to switch between languages. It is also not that good to give suggestions on mispelled words.
I use it on a slow netbook only because Opera has introduced a memory leak in the last few releases.
Unfortunately the browser experience is constantly degrading cross browsers, in lockstep with bloated single page apps.
Microsoft should apply these same restrictions to all UWP apps. Yes, that means banning JIT compilation, as Apple does on iOS. And desktop applications shouldn't be able to inject DLLs into UWP applications and system components.
In theory, they've always banned JIT in UWP apps, at least by default. UWP apps can't use VirtualProtect; they have to use VirtualProtectFromApp, which only allows JIT if you have the "codeGeneration" capability (and always enforces W^X). I don't use Windows so I don't know how it interacts with this new thing. Maybe the protection wasn't enforced at the kernel level?
On any platform, it makes sense to enforce code signing by default as a hardening measure, but some apps like browsers cannot operate without a JIT. So there needs to be some exception process - possibly requiring the use of a separate process for JIT compilation, as Edge now does. You don't want to end up like iOS where Safari is the only browser permitted on the platform.
Modern apps completely banned JIT back in the Windows 8.x days (except for the CLR which was whitelisted), the APIs/capabilities you mentioned were only added in Windows 10.
You can .NET Native on your own machine for testing but the package uploaded to the store contains MSIL. The final .NET Native version is then compiled in the cloud.
One great feature of .NET Native is that the compiler is capable of being hosted in the cloud. When you build your Store package in Visual Studio, two packages are created – one .appxupload and one “test” .appx for sideloading. The .appxupload contains the MSIL binaries as well as an explicit reference to the version of the .NET Native toolchain your app consumes (referenced in the AppxManifest.xml). This package then goes to the Store and is compiled using the exact same version of the .NET Native toolchain. Since the compiler is cloud hosted, it can be iterated to fix bugs without you having to recompile your app locally.
> Microsoft should apply these same restrictions to all UWP apps. Yes, that means banning JIT compilation, as Apple does on iOS.
I really wish they didn't. Banning JIT means banning alternative web browsers (with alternative JavaScript engines,) banning other languages that use a runtime with a JIT, and making it very difficult to write programs that need a JIT for performance, like video game emulators. Banning JIT outright like Apple does makes for a less useful computing platform. What's worse is that if certain operating-system components are allowed to break the rules (like the built-in JavaScript engine,) it locks you in to the vendor's implementation of these components. Imagine if you could only use the CLR and not the JVM on Windows. Mitigating RCEs is important, but it's not that important.
Making it a policy that can be enabled per-app (like Windows 10, according to a sibling comment) is fine though.
Most of them are just built into Windows now and are accessible through both the registry[1] and at runtime[2][3]. The latter requires recompiling with source code changes but the former can be applied to any application.
The EMET mitigations which are no longer supported have either been depreciated because of better ones (control flow guard) or are not terribly effective (EAF/EAF+, use of debug registers).
I didn't see this mentioned in the blog posts but I believe Edge also has win32k filtering[1] to reduce the kernel attack surface as well (added in the AU). This is different from the win32k lockdown that Chrome uses which completely blocks all win32k syscalls but instead allows a whitelist(?) for acceptable syscalls to help reduce the attack surface (I'm not actually sure how it works).
It seems the signature is checked before allowing this mitigation so only Microsoft signed applications can currently use this mitigation[1].
So, the thing we call "win32k lockdown" on Chrome is just a term for the various things we had to do to enable ProcessSystemCallDisablePolicy on our sandboxed renderer processes (the processes that handle Web content). ProcessSystemCallDisablePolicy is a very big hammer, because enabling it prior to process launch means the kernel blocks all GDI and NTUser calls, such that the process can't interact with the UI or graphics subsystems. Chrome can do this because our UI and graphics acceleration layer is split into our unsandboxed browser process and the more weakly sandboxed GPU process.
The difference with Edge and IE is that they run their UI and graphics stack in their content processes, which are an analog to Chrome's renderer processes. However, any UI on Windows requires win32k kernel support, so they can't disable it like Chrome does. Instead, Edge uses its win32k filter to limit the attack surface to only the calls that they need. So, where Chrome's architecture allowed us to make an aggressive cut, Microsoft is instead working to iteratively shut off the same attack surface in Edge.
And yes, the win32k whitelist is currently restricted to EdgeHTML processes by the kernel and signature enforcement. I know this because we currently sandbox our GPU process at about the same level as an IE content process, and we wanted to use the win32k whitelist get the same improvements as Edge. Unfortunately, Microsoft is still working on the capability, and is not ready to expose it to third-parties yet (but has given signs they may be willing to do so in the future).
Source: I lead engineering on Chrome security and am the original architect of Chrome's win32k lockdown.
Edge's only practical purpose is to download Chrome or Firefox, and I hope it stays that way.
MS made it very painful for website developers to support Internet Explorer, and having to support IE crippled the web for years.
Today there is not a single developer that likes Internet Explorer or its successor Edge. You will not see a single human being on planet Earth with an Edge t-shirt, and if you see one, it's probably that person's laundry day.
The e logo only brings memories of your computer freezing or getting millions of stupid popups or a browser window with hundreds of toolbars (when you used someone else's computer), and conversations asking people to try another browser, or having to switch my user-agent string or create a VM with the sole purpose of running an IE only website, or having to stay late at work because some user with IE experienced problems.
Plus, Microsoft is dishonest and used their browser to mine Google Search activity and send it to their servers to improve Bing. And god knows what else.
Microsoft is selfish, plays dirty and does not deserve a seat at the table of people deciding web standards. They can make Chakra 100x faster, make you a sandwich and jump through hoops but nobody trusts them anymore so it doesn't matter.
We all lived a decade under the tyranny of Internet Explorer and we had enough. If there is a product that deserves to go away, it's Microsoft's web browser. The day it does I am going to throw away a party, and I am sure many others will as well. Please give up, use your time on something else.
CIG, ACG, RCE .. I thought DEP and ASLR was supposed to have already cured RCE. Lets face it, when are they going to admit that the Windows memory model running on Intel hardware is defective. Lets see how long this comment stays up before modded into oblivion.
57 comments
[ 4.9 ms ] story [ 102 ms ] thread"I want to support MS, I’m a development partner. But I feel like you guys spend way too much time thinking about how to push intrusive ad’s into the OS and trying to get easy ad-based revenue from your browser: Talking very good security talk but not walking a very good security walk."
The commenter also makes a comment about how Chrome the older browser was found to be much more secure than Edge the newer one. And then a bunch of technical stuff from someone responding to it (the respondent is not the person writing the article).
Am I the only one who feels MSFT would simply be better off not writing these articles at all if they don't particularly care for engaging with their audience?
Oh, and you can't leave a comment without signing in with a Microsoft account. :-)
The best way to secure a browser is just like what chrome and firefox do: open source it.
Chrome adds a lot of proprietary bits including (but not limited to): Audio & Video Codecs, Flash Plugin, Crash Reporting, Metrics, et al.
No thanks.
These are not proprietary, actually.
" Audio & Video Codecs,"
Neither is this, last i looked (but i haven't looked in a while).
You can use Chromium directly if you want to.
Many important projects exist because Chromium and v8 are open source.
The IE/Edge layout engine has always been a source of infamous trickery. It would be good that they finally open source it.
The chakra.dll that comes as part of Windows/Edge includes the additional parts not included with ChakraCore (at least that is how it reads to me).
Chrome - 57.54%
IE - 14.12%
Edge - 12.88%
Firefox - 9.30%
Safari - 4.13%
Other browsers make up the remainder
I understand it was added specifically for Edge sandboxing, but it sounds like useful functionality (albeit niche) for other apps that deal with untrusted data routinely.
PS - In terms of technology and standards Edge is a pretty solid browser. I love the Dark theme.
Essentially the thing they added in the Creators Update and are discussing here.
What I want is IE's rendering speed with Chrome's UI and Firefox's extensibility (the good old system, not the new one).
Try killing explorer.exe and resizing a UWP app; Something that should have nothing to do with app windows is fiddling with app frames.
General nonsense in how the UWP system works is responsible for a lot of lagginess and the generally immature feel of the system.
I would love to love Edge, but it really is crippled by the artifacts of its UWP implementation.
I'll also take Opera's built in vpn, iridium's privacy measures, vivaldi's dev tools, and blisk's mobile preview feature.
One interesting thing is that Edge feels more sluggish compared to other browsers on a fast system, but performs well on a slow system compared to other browsers.
One huge annoyance with Edge is that it's spelling tool follows the OS language, hard to switch between languages. It is also not that good to give suggestions on mispelled words.
I use it on a slow netbook only because Opera has introduced a memory leak in the last few releases.
Unfortunately the browser experience is constantly degrading cross browsers, in lockstep with bloated single page apps.
Same goes for the file menu in Windows Explorer.
https://blogs.windows.com/msedgedev/2017/02/23/mitigating-ar...
Microsoft should apply these same restrictions to all UWP apps. Yes, that means banning JIT compilation, as Apple does on iOS. And desktop applications shouldn't be able to inject DLLs into UWP applications and system components.
On any platform, it makes sense to enforce code signing by default as a hardening measure, but some apps like browsers cannot operate without a JIT. So there needs to be some exception process - possibly requiring the use of a separate process for JIT compilation, as Edge now does. You don't want to end up like iOS where Safari is the only browser permitted on the platform.
When .NET UWP applications are uploaded the store pre-compiles them on the server with .NET Native. The user only downloads and executes native code.
https://blogs.windows.com/buildingapps/2015/08/20/net-native...
One great feature of .NET Native is that the compiler is capable of being hosted in the cloud. When you build your Store package in Visual Studio, two packages are created – one .appxupload and one “test” .appx for sideloading. The .appxupload contains the MSIL binaries as well as an explicit reference to the version of the .NET Native toolchain your app consumes (referenced in the AppxManifest.xml). This package then goes to the Store and is compiled using the exact same version of the .NET Native toolchain. Since the compiler is cloud hosted, it can be iterated to fix bugs without you having to recompile your app locally.
I really wish they didn't. Banning JIT means banning alternative web browsers (with alternative JavaScript engines,) banning other languages that use a runtime with a JIT, and making it very difficult to write programs that need a JIT for performance, like video game emulators. Banning JIT outright like Apple does makes for a less useful computing platform. What's worse is that if certain operating-system components are allowed to break the rules (like the built-in JavaScript engine,) it locks you in to the vendor's implementation of these components. Imagine if you could only use the CLR and not the JVM on Windows. Mitigating RCEs is important, but it's not that important.
Making it a policy that can be enabled per-app (like Windows 10, according to a sibling comment) is fine though.
The EMET mitigations which are no longer supported have either been depreciated because of better ones (control flow guard) or are not terribly effective (EAF/EAF+, use of debug registers).
[1] https://theryuu.github.io/ifeo-mitigationoptions.txt
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/ms6...
[3] https://msdn.microsoft.com/en-us/library/windows/desktop/hh7...
https://www.zerodayinitiative.com/blog/
It seems the signature is checked before allowing this mitigation so only Microsoft signed applications can currently use this mitigation[1].
[1] https://googleprojectzero.blogspot.com/2016/11/breaking-chai... (see Wrap Up section near the end)
The difference with Edge and IE is that they run their UI and graphics stack in their content processes, which are an analog to Chrome's renderer processes. However, any UI on Windows requires win32k kernel support, so they can't disable it like Chrome does. Instead, Edge uses its win32k filter to limit the attack surface to only the calls that they need. So, where Chrome's architecture allowed us to make an aggressive cut, Microsoft is instead working to iteratively shut off the same attack surface in Edge.
And yes, the win32k whitelist is currently restricted to EdgeHTML processes by the kernel and signature enforcement. I know this because we currently sandbox our GPU process at about the same level as an IE content process, and we wanted to use the win32k whitelist get the same improvements as Edge. Unfortunately, Microsoft is still working on the capability, and is not ready to expose it to third-parties yet (but has given signs they may be willing to do so in the future).
Source: I lead engineering on Chrome security and am the original architect of Chrome's win32k lockdown.
MS made it very painful for website developers to support Internet Explorer, and having to support IE crippled the web for years.
Today there is not a single developer that likes Internet Explorer or its successor Edge. You will not see a single human being on planet Earth with an Edge t-shirt, and if you see one, it's probably that person's laundry day.
The e logo only brings memories of your computer freezing or getting millions of stupid popups or a browser window with hundreds of toolbars (when you used someone else's computer), and conversations asking people to try another browser, or having to switch my user-agent string or create a VM with the sole purpose of running an IE only website, or having to stay late at work because some user with IE experienced problems.
Plus, Microsoft is dishonest and used their browser to mine Google Search activity and send it to their servers to improve Bing. And god knows what else.
Microsoft is selfish, plays dirty and does not deserve a seat at the table of people deciding web standards. They can make Chakra 100x faster, make you a sandwich and jump through hoops but nobody trusts them anymore so it doesn't matter.
We all lived a decade under the tyranny of Internet Explorer and we had enough. If there is a product that deserves to go away, it's Microsoft's web browser. The day it does I am going to throw away a party, and I am sure many others will as well. Please give up, use your time on something else.
This blog post looks more like a damage control measure.
[1] http://www.tomshardware.com/news/pwn2own-2017-microsoft-edge...
One UNsuccessful attempt? Does that mean only one attempt on chrome was made?
https://www.zerodayinitiative.com/blog/2017/3/15/the-results...