November 17, 2015 10:00 am

Protecting Microsoft Edge against binary injection

Graphic of a padlock and PC

In May, we announced that Microsoft Edge was saying goodbye to binary extensibility models such as ActiveX and Browser Helper Objects. This change made browsing in Windows faster, more secure, and more stable than ever, while paving the way for better interoperability with other browsers and modern extension models. Those improvements are at risk, however, if uninvited extensions in the form of DLLs (Dynamic-Link Library) are injected into the browser. The latest Windows 10 updates strengthen Microsoft Edge with industry-leading enforcement against loading unauthorized DLLs into Microsoft Edge content processes.

What is the problem?

Web browsers are an attractive target, because in-browser advertisements can be a significant source of revenue. If someone can replace or even add to the advertisements the user sees, they can redirect that cash flow. Because some programs seek to change user settings without the user’s consent, Microsoft Edge is hardened to protect user settings (including protecting search results and other web content from third party injection). Developers who are determined to tamper with the user’s settings may resort to injecting DLLs into the Edge process, bypassing the built-in interfaces for settings controls.

This is a common reason why some users end up with toolbars installed or third party content injected on pages without their intent or consent. These uninvited additions can degrade the performance, stability, and security of the browser, and hence become a problem for the user. An attack on a web browser begins with a memory corruption of some kind that allows the attacker to take control of the browser. Once they have a toehold, they pull in more and more of their attack software, and set about changing what the user’s PC does—from being for their benefit to being malicious. However, that initial hole is often very small, so it is common for an attacker to download a DLL of their code and just load it into the victim process. The attacker is trying to colonize the browser, and loading DLLs provides the attacker with a handy cargo pallet full of supplies. Blocking unauthorized DLL injection makes browser exploits more difficult and more expensive for attackers to carry out.

Blocking unwelcome code injection with Module Code Integrity

Starting with EdgeHTML 13, Microsoft Edge defends the user’s browsing experience by blocking injection of DLLs into the browser unless they are Windows components or signed device drivers. DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked. “Microsoft-signed” allows for Edge components, Windows components, and other Microsoft-supplied features to be loaded. WHQL (Windows Hardware Quality Lab) signed DLLs are device drivers for things like the webcam, some of which need to run in-process in Edge to work. For ordinary use, users should not notice any difference in Microsoft Edge.

Code integrity enforcement can be done in the process, or in the kernel. Enforcement in the process is only useful if the threat model is that the process is not yet compromised, because if it has been compromised, then the hacked process can just disable the code integrity check for itself. Microsoft Edge uses enforcement in the kernel, which is robust against a compromised process, so that even a pernicious ad injector cannot turn off the code integrity check. With the browser process model and the Windows kernel helping each other in this way, Microsoft Edge becomes the first and only PC browser with library content integrity protection.

While requiring DLLs to be signed is not a silver bullet—there’s no such thing in browser security—it adds substantially to the sophistication and expense required to attempt to target Microsoft Edge users. We continue to investigate further ways to thwart code injection into Microsoft Edge.

User Benefits

This change arrives as part of EdgeHTML 13, which is included with the latest automatic updates to Windows 10. Like many other Microsoft Edge security enhancements, this DLL code signing mitigation will make it less likely for the browser to be hacked. It also reinforces Microsoft Edge against unwelcome binary “extensions” that slow down and or destabilize the browser. This unwanted software is often unstable and can crash the browser session, in addition to potentially polluting web pages with unwanted content or malicious search results.

We introduced this change to the Windows Insider Program with build 10547, and we have already seen tremendous results. From a sample of about 65,000 Windows Insider users of 10547, module code integrity protected 2704 users from attempts to load adware and malware. Additionally, by preventing software vendors from taking dependencies on the internal binary bits of the browser, we preserve the agility of Microsoft Edge to rapidly innovate, and deliver our users the most modern web browsing experience possible.

We are committed to continuing to reinforce Microsoft Edge against malicious and unwanted content, and are hard at work delivering an extension model that will serve these principles. We look forward to sharing more on that front soon—in the meantime, let us know what you think in the comments below or @MSEdgeDev on Twitter.

Crispin Cowan, Senior Program Manager, Microsoft Edge

Updated November 25, 2015 10:25 am

Join the conversation

  1. Ouch. This is a pure consumer play. There are those who want to extend their browsers and make them do what they actually want. For them you’re throwing the baby out with the bathwater.
    What approaches are you providing for people who want to control their own world and not be controlled?
    In the name of human decency and even-handedness I suggest you publish details of what you’re doing for these people.

    • Mike, you do not seem to know what you are talking about. They have already announced that Edge will support an extension model similar to Chrome and Firefox. The only thing that is going away is the use of binaries extensions like Active X and BHOs. Relax.

  2. too bad anyone who knows anything doesn’t use it. Fire Fox works for me and I still have Ad-block and other nice addons. You can never completely protecting the idiots.

  3. I’m a little concerned with this “From a sample of about 65,000 Windows Insider users of 10547, module code integrity protected 2704 users from attempts to load adware and malware”

    So does this mean those 2704 users would’ve been infected with adware/malware if they weren’t running build 10547? That’s 1 in every 24 users. Kind of scary if you think about the number of people still on build 10240.

  4. Very nice, as it is I use Kaspersky internet security, Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit. It is sad that I have to use all that just to keep my system a little safer and even with all that I am venerable from 0day malicious content. With Edge browsing seems much safer. I don’t think we need a browser with all the extra bells and whistles. I say go old school we just need a simple, safe, fast, reliable browser. As it is I don’t even like flash player of which I have turned it off because it’s turned into just another venue for Ads. I know your going to allow extensions at a later point but I feel if people want all the bells and whistles & add-ons they can still use IE. Remember the old saying “Keep It Simple Stupid”.

  5. Well, it’s nice… but this is a real nightmare for test automation tools and QA engineers. This “improvement” just kills a possibility to run automated GUI tests with Edge.