May 11, 2015 12:00 pm

Microsoft Edge: Building a safer browser

With Microsoft Edge, we want to fundamentally improve security over existing browsers and enable users to confidently experience the web from Windows. We have designed Microsoft Edge to defend users from increasingly sophisticated and prevalent attacks.

This post covers some of the advanced technologies used to protect Microsoft Edge, including industry leading sandboxing, compiler, and memory management techniques developed in close partnership with Windows.

Web Security Threats

While the web is predominantly a safe environment, some sites are designed to steal money and personal information. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking:

  • Trickery: in real life, a “con man” will use tricks to take advantage of a victim, e.g. “got two 10s for a 5?” On the web, attackers will try to fool victims using things like “phishing” attacks that convince a user to enter their banking password into a web site that looks like their bank, but isn’t.
  • Hacking: in real life, a mugger might assault you and take your money, or a burglar might break into your home and steal your valuables. On the web, attackers present a victim’s browser with malformed content intended to exploit subtle flaws in your browser, or in various extensions your browser uses, such as video decoders. This lets the attacker run their code on the victim’s computer, taking over first their browsing session, and perhaps ultimately the entire computer.

These are threats faced by every browser. Let’s explore how Microsoft Edge addresses these threats and is helping make the web a safer experience.

Defend Users Against Trickery

A web browser can help defend a user against trickery by identifying and blocking known tricks, and by using strong security protocols to ensure that you are talking to the web site you think you are talking to. Here are some of the ways that Microsoft Edge helps achieve this.

Stronger, More Convenient Credentials

One of the most common ways to attack users is phishing: enticing the user into entering their password into a fake version of a web site that they trust. Attempts to uniquely identify legitimate web sites, such as through the original HTTPS lock symbol, and more recently with the EV Cert green bar, have met with only limited success: attackers are just too good at faking a legitimate experience to expect most users to notice the difference.

To really defend against this requires removing the need for users to enter plain-text passwords into web sites. Instead, Windows 10 provides Microsoft Passport technology with asymmetric cryptography to authenticate you to your web sites. Windows 10 will also offer the most convenient way to unlock your device and access your Microsoft Passport, providing a truly seamless experience that is more secure than today’s world of complicated passwords.

Defending Against Malicious Web Sites and Downloads

Microsoft SmartScreen, originally introduced in IE8, is supported in Microsoft Edge and by the Windows 10 Shell. SmartScreen defends users against phishing sites by performing a reputation check on sites the browser visits, blocking sites that are thought to be phishing sites. Similarly, SmartScreen in both the browser and the Windows Shell defends users against socially-engineered downloads of malicious software to users being tricked into installing malicious software.

Defending Against Fake Sites with Certificate Reputation

Users have learned to trust sites that use encrypted web traffic. Unfortunately, that trust can be undermined when malicious sites use improperly obtained or fraudulent certificates to impersonate legitimate sites. Last year we announced Certificate Reputation – recently we have extended this system by allowing web developers to use the Bing Webmaster Tools report directly to alert Microsoft to fraudulent certificates.

Web Standards

As we announced recently, Microsoft Edge hosts a new rendering engine, Microsoft EdgeHTML. This engine is focused on modern web standards, allowing web developers to build and maintain one consistent site that supports all modern browsers. This greatly simplifies the hard work of building first class web sites, allowing more time and energy for web developers to focus on reliability and security rather than the complexities of interoperability.

Microsoft EdgeHTML helps in defending against “con man” attacks using new security features in the W3C and IETF standards:

Defending the Browser Against Hacking

Microsoft Edge does more than facilitate standards compatibility and users with defenses against trickery. It also includes a major overhaul of the DOM representation in the browser’s memory, making the browser’s code more resistant to “burglar” attacks that attempt to subvert the browser.

But Microsoft Edge has done more than just re-write the rendering engine. Here we describe the security mitigations baked into the Microsoft Edge browser.

Moving to a more secure extension model

Microsoft introduced ActiveX in 1996, part of a wave of support for web browser extensions, enabling 3rd parties to experiment with various forms of alternate content on the web. However, browser extensions come at a cost of security and reliability: binary extensions bring code and data into the browser’s process, with no protection at all, and so anything that goes wrong or is vulnerable in the extension can also take down or compromise the browser itself. It is rather similar to building a sun porch onto your house without locking the door to the sunporch: it is all too easy for a burglar to break into the sun porch, and from there loot the rest of your house.

So to make browsers safer against attacks, and just more reliable, it is important to create an extension model that is safer, by sharing less state between the browser itself and the extensions. Thus Microsoft Edge provides no support for VML, VB Script, Toolbars, BHOs, or ActiveX. The need for such extensions is significantly reduced by the rich capabilities of HTML5, and using HTML5 results in sites that are interoperable across browsers.

To enable extensibility beyond what is provided by HTML5, we are working on plans for a modern, HTML/JS-based extension model. We look forward to sharing more details on these plans, including guidance on migrating your scenarios from ActiveX controls to modern standards and extensions in the coming months.

Microsoft Edge is an App

The largest change in Microsoft Edge security is that the new browser is a Universal Windows app. This fundamentally changes the process model, so that both the outer manager process, and the assorted content processes, all live within app container sandboxes. This provides the user and the platform with the confidence provided by other Windows store apps.

App Container Sandbox by Default

IE7 on Windows Vista was the first web browser to provide a browsing sandbox, called protected mode, where the part of the browser that renders the web content runs with less privilege than the browser controls (e.g. the back button) and the user do. This provides the user with a level of protection should a malicious web site exploit a bug in the browser or one of its plugins, in that the attacker is now stuck inside the sandbox and does not have full access to all of the user’s resources.

IE7’s protected mode was built on Vista’s mandatory integrity control, which provides a degree of protection, but is limited. IE10 introduced EPM (Enhanced Protected Mode) based on Windows 8’s app container sandbox. EPM provided a much stronger sandbox than protected mode, including for example deny-by-default and no-read-up semantics. EPM was on by default in the immersive browser, but was only an option on the desktop in IE10 and IE11 because some browser extensions are not compatible with EPM.

Microsoft Edge is rebooting our browser extension model, allowing it to run its content processes in app containers, not just as a default, but all the time. Thus every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows.

64-bit By Default

Microsoft Edge is also 64-bit, not just by default, but at all times when running on a 64-bit processor. 64-bit processes in general, and browser processes in particular, get significant security advantages by making Windows ASLR (Address Space Layout Randomization) stronger.

Attackers want to inject malicious code into your browser process via a coding bug, and then execute their malicious code. ASLR makes that harder by randomizing the memory layout of the process, making it hard for attackers to hit precise memory locations to achieve their ends. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger, making it much more difficult for attackers to find the sensitive memory components they need.

Defending Against Memory Corruption

Memory corruption is a class of vulnerability so common that it deserves special attention. It is endemic to applications written in C/C++, because the programming language does not provide type safety or buffer overflow protection. Broadly speaking, memory corruption attacks involve the attacker providing malformed input to a program that the program does not handle properly, resulting first in corruption of the program’s memory state, and subsequently in the attacker gaining control of the program. A broad variety of memory corruption mitigations have been devised since the mid-1990s, and in the 2000s Microsoft has lead the way with advances including ASLR, DEP, and SeHOP.


As these mitigations have rolled out, attackers have adapted, inventing new forms of attack. Microsoft in turn has responded with new memory safety defenses that mitigate the most common new forms of attack, including and especially use-after-free vulnerabilities.

MemGC (Memory Garbage Collector) is a memory garbage collection system that seeks to defend the browser from UAF (Use-after-free) vulnerabilities by taking responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation has detected that there are no more references left pointing to a given block of memory.

Control Flow Guard

The end-game in memory-corruption is for the attacker to gain control of the CPU program counter, and jump to a code location of the attacker’s choice. CFG (Control Flow Guard) is a Microsoft Visual Studio technology that compiles checks around code that does indirect jumps based on a pointer, restricting these jumps to only jump to function entry points that have had their address taken. This makes attacker take-over of a program much more difficult by severely constraining where a memory corruption attack can jump to.

These new memory safety protections have been enabled and shipped out to Windows and IE users over the last year, and are on all the time in Microsoft Edge.

Bug Bounty

Despite all efforts, there will be security vulnerabilities in Microsoft Edge that we do not yet know about. To minimize customer impact, we will be offering a Windows 10 Technical Preview Browser Bug Bounty program, intended to incent security researchers to report browser vulnerabilities to Microsoft during the Technical Preview period rather than after Microsoft Edge ships as a general use product. Security researchers interested in the bounty program should look here for more information.

Security Is A Process, Not A Destination

Microsoft Edge is a brand new browser, with new goals and requirements. This has allowed us to include these security enhancements, both brand new security features, and moving older opt-in features to be always-on. For this reason, we believe Microsoft Edge will be the most secure web browser that Microsoft has ever shipped. As security is a process, not a destination, we will continue to work on browser security improvements. Let us know what you think in the comments below or @MSEdgeDev.

– Crispin Cowan, Senior Program Manager, Microsoft Edge

[Corrected on 5/11 at 5:35 PM to reflect that Protected Mode was introduced in IE7 on Windows Vista, not Windows 7.]

Updated May 11, 2015 5:36 pm

Join the conversation

  1. “IE7 on Windows 7 was the first web browser to provide a browsing sandbox, called protected mode, ”

    IE7 is not available on Windows 7. W7 launched with IE8.

    “IE7’s protected mode was built on Vista’s mandatory integrity control”

    So is it IE7 or IE8 after all with protected mode? This is confusing.

    • You are correct, it was IE7 on Vista that introduced the browser sandbox. We will fix the blog. Thanks for the good catch!

  2. Thanks for that Crispin.

    The article does a good job of explaining your idea of your target market. It’s people who don’t write code to make computers do what they want. No scripts, no browser extensions, no automation of repetitive tasks…

    Sort of the ideal passive, consumer.

    So for those of us who want the browser to be an integrated part of their lives. To do what we want. To be easily used to do what we want. Not to be limited by other peoples ideas and how they’re implemented. Well, you seem to be heading in the opposite direction, making life harder and, if you’re really successful, actually making various things impossible.

    Not sure whether I read that right? If I did good to know, so we don’t waste effort working in a dead end street.

    • @Mike: I’m not sure where you got all of that. There *will* be extensibility. ActiveX and some of those other technologies were fine for the era that they were created in. However, they do not stand up to the security and functionality needs of today’s web. The new extension model should provide a great deal of functionality, much of it in a way that the previous model couldn’t provide.

      What specific functionality are you missing?

  3. The claim:

    > Memory corruption is a class of vulnerability so common that it deserves special attention. It is endemic to applications written in C/C++, because the programming language does not provide type safety or buffer overflow protection.

    …sounds to me like pretty close to pure, unadulterated FUD. Memory corruption is endemic to badly written code. Yes, there’s a lot of badly written C in the world, and a fair amount of badly written C++ as well. For better or worse, there’s also a lot of badly written code in nearly every other language you can name as well–and badly enough written code in nearly every one of them can result in memory corruption.

    It is true that many languages provide tools that make it a lot easier to avoid obvious memory corruption problems that C doesn’t. It’s also true that C++ includes quite a few of those tools as well. That doesn’t (of course) mean anywhere close to all code written in C++ will avoid those problems, and more than all code written in will.

    If your developers honestly believe that switching languages will even come close to automatically guaranteeing against memory corruption vulnerabilities, I’m going to stay as far away from Edge as I can. A false sense of security is one of the most dangerous mindsets possible in development that involves security (and if switching languages gives them any sense of security at all, then yes, it is most assuredly false).

    • On one hand, I disagree with you about the FUD. There really are strictly typed programming languages that assure memory safety; that doesn’t assure total security, e.g. XSS and SQL injection remain completely viable, even in a totally memory-safe program, but you can assure memory safety with a sufficiently strict programming language.

      On the other hand, whether we agree on that doesn’t matter: Microsoft Edge is still written in C/C++, we are not depending on strong type safety. What we did here was add a memory garbage collector, to make use-after-free bugs improbable.

  4. Please add support for arbitrary programming languages. People should be allowed to use whatever programming language they want to program the web, and not be forced to use Javascript.

    • Microsoft Edge, and most other browsers, contain a native JavaScript (really, HTML5) interpreter. Those JS interpreters are highly tuned. Asking all browsers to provide native interpreters for many languages that are tuned to that degree is infeasible.

      However, if all you want to do is code web pages in the language of your choice, there are innumerable projects out there that compile many languages into JavaScript that most any browser can execute. Here’s a list

  5. Apologies if this is not the correct forum:

    I am developing on build 10114.
    In each build prior to this one, I was able to access UI Automation elements without issue.
    Now it seems EdgeHtml.dll might be the Accessibility provider.
    Did this replace UI Automation in Edge?
    Does anyone know of a development framework where I might be able to access the UI Elements?



  6. This is all well and good, and I applaud it (and will be using Edge as my day-to-day browser instead of Chrome). However, as a developer of a fairly complicated Silverlight application that cannot be moved to HTML5 (we need elevated rights to talk to the file system), Microsoft’s deafening silence on how we can move forward. Building-in Silverlight a-la Flash would solve that.

  7. You include flash, but not Silverlight? How can we trust that you keep your word and support the things you tell us to invest in?

  8. Please bring back an option for “Most Recently Used” tab switching with Ctrl-Tab. This, to me, is an essential feature of IE11. With a dozen tabs open, being able to easily flip back and forth between the two most recent tabs let’s me concentrate on work rather than having to cycle through a dozen tabs every time (or have to pick up and go the mouse JUST to switch a tab). PLEASE.

  9. I was trying to use the CSP directive- “reflexted-xss” with MS Edge, but the browser did not honor the directive. I was curious to know whether the support is integrated yet or not? I am using Build 10130. My current use case is – I have a text field (where I am giving the XSS payload) in an HTML page which submits a GET request with the text as the parameter and from the server I just echo back the value to the client. The PHP page on the server has the CSP header with the reflected-xss directive set to block.

  10. Reads pretty impressive. There are, however, some adoption gotchas in Edge. The UI still needs some polish/functionality, like no Save-As in Downloads, no right-click Save-Link-As for for certain content like MP4s, the tab close button is not a proper hover region (harder to hit) than the “+”, no switching between search engines in the address bar on a per case basis, … Already reported that on Windows Feedback. And for me as an Admin not having something like right-click properties showing me the exact TLS or whatever protocol in use is cumbersome.
    In my view Edge is still a bit too reductionist. Usability issues will probably hinder widespread adoption.

  11. If Scare ware can still block users from closing the tab then there is no sense in using it, There are too many people at home that does not know how to force close the browser. I have seen several people that were tricked into the so call tech support scams because they could not get the page or Explore windows to close.
    This only works because the close function can be overridden by the webpage this needs to be blocked with a built in pop-up if you really want to close the page! The RED X for the explorer also needs to override all pages and exit the browser after asking if you want to close all tabs.

    This is a very important issue for Home users!

  12. Another thing that is missing is blocking Top level Domains. There are a lot of TLD’s that are well know for scam and scare ware. these are domains in off the wall countries like Zambia and other countries like that. There are also a lot of new Domains that are rouge and places scam and scare ware on their domain because they get paid when people fall for it.

    So please put in support for blocking TLD’S

  13. You would think that if security and safety online was the key features then you would be able to pick where and more importantly whether you want to download something, instead it just straight downloads stuff how it likes!

  14. I and many others have quickly discovered the Pop Up scam vulnerability in W10 Edge. I was testing a laptop for use by grandson and found a search on free games instantly took me to a Pop Up site where a continuous loop prevents Edge being closed. Closing Edge with Task manager doesn’t clear the site from the browsers’s memory nor does closing down the PC. Disconnecting from the internet also does nothing in terms of ridding Edge of the annoying pop up. I hope Microsoft quickly publishes the fix.