Slashdot Mirror
Microsoft Is Confident In Security of Edge Browser
jones_supa writes: It's no secret that Internet Explorer has always been criticized for its poor security, so with the Edge web browser (previously known as Spartan), Microsoft is trying to tackle this problem more effectively and make sure that users consider it at least as good as Chrome and Firefox. In a blog post, Microsoft details the security enhancements available in Edge, pointing out that most of the changes it made to the new browser make it much more secure than Internet Explorer. There is more protection against trickery, app containers are used as the sandbox mechanism, and protection against memory corruption is better. Old, insecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.
So all those corporate intranet apps that stupidly require IE - how hard will Edge break those?
You're looking for quotes? See my journal.
of ANYTHING should be assumed to be insecure.
That's a whole lotta new code that nobody with a less-than-white hat on has had a crack at.
Don't get me wrong - I'm glad they're using more practices that are in line with best security practices for browsers, and are removing some obvious attack vectors by sandboxing off code execution. But you'd be foolish to assume that they've got everything right the first time.
.
Remember when Microsoft declared the buffer overflow bugs were eliminated from Windows XP?
They support WebGL which is going to be the next attack vector as well as continuing to support flash with sandboxing that the hackers will tear to shreds in short order.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
A great news to many is that old unsecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit
This looks like what the dev team presented to the upper management about what it wants to do. It will undergo several iterations. Some powerful customer will demand some interface to be supported or else... Some managers will insist on some form of backward compatibility mode. Some bing! advertisement people would ask for "special" interfaces to their team to let them "leverage" & "synergy" and other buzzword bingo stuff. There will be compromises. Some managers will insist with straight face, "yes, yes, this scripting interface is supported, but we say very clearly in the documentation it is not to be used for fresh code and it is to be used only for backward compatibility reasons, so it is not a security threat".
Finally they will be wondering why security was compromised, and blame it on the open source zealots and prejudice among the uninformed and marketing by competitors and assure themselves "it is not our fault, we did not do anything wrong".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
But as a long time hater of Redmond products, am I sensing some sort of sea change?
It's just within the realm of possibilities that the Ballmer days of "When I want your opinion, I'll tell you what it is," are over? In more than just name?
I intend to give them a chance here, maybe its the same old Microsoft. Maybe not.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
So, are they admitting that their interest is not in making a secure browser, but one that the users consider to be secure? With that attitude, failure is not an option, it is a certainty.
Big deal. When was the last time you heard a company say they *didn't* have confidence in the security of their product? It's like parents saying their kids are beautiful, even if said offspring has a face like a stepped-on cowpatty.
Here's the solution that nobody apparently has the balls to implement. Have a blacklist of common malicious adware plugins then block them all. That'd put Perion out of business really quickly. It's soooo obvious and common even a human can compile the list. Here, I'll start. Maps Galaxy. Babylon. Various youtube auto HD fake plugins. Anything with the word "coupon" on it. Shop at home toolbar. We Care. There, I just eliminated practically half the browser malware in the world with my 60 second blacklist.
Too bad MS (and mozilla and Google) are too scared to get sued by these asshole malware companies.
Browser helper object. http://en.wikipedia.org/wiki/B...
Barack Hussein Obama
browser helper object, basically a COM extention of the browser
In context, it's a Browser Helper Object. (Bullshit toolbars, generally.)
If you google it, you'll most likely going to find a republican ranting about Barack Hussein Obama.
Either way, "BHO" is never a good term to read about. You're either going to hate the world for spam or for politics.
So Chrome offers great speed, stability, and separate processes per tab and Firefox has a huge selection of add-ons. But Microsoft has done very little to divulge what Edge has to offer to differentiate itself from the other browsers and become more than just the best browser to download Chrome or Firefox.
In context, it's a Browser Helper Object. (Bullshit toolbars, generally.)
#NotAllToolbars are bullcrap. For a while, Google was making Chrome Frame, a BHO for Internet Explorer. If a copy of IE had Chrome Frame installed, a page could opt in to being rendered with Chrome instead of Trident. This was helpful when most IE users were stuck on IE pre-9.
It was cooler when it was project Spartan
Here's the solution that nobody apparently has the balls to implement. Have a blacklist of common malicious adware plugins then block them all.
I know someone who makes a blacklist of the sites from which these "common malicious adware plugins" are served. He distributes this blacklist as a configuration file that your computer administrator can place in the etc folder. Once the file is installed, your machine will try to access 0.0.0.0 instead of the malware distribution site, which causes the malware to not get downloaded.
Learn more about blacklisting malware sites
I'm taking bets that the first exploit of the Edge browser will be call "Bleeding Edge"
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
"any person can invent a security system so clever that she or he can't think of how to break it."
Here is the problem... If you only allow a few thousand people to look at your source code, and fully test your product, then you only have to design security clever enough to evade the efforts of a thousand people.
In order for something to be secure, it needs to be widely published, and universally assaulted.
Looky here. Hosts file mods are ok, but when it becomes too unwieldy it slows the crap out of any browser and blocks sites you really want to see. Blocking 3rd party sites sometimes makes the parent page not work.
So far add block is the only solution and setting that up on IE is a pain and quite flaky so unless Edge has something familiar, I can't and won't use it.
The other recommendation is to get all flash requests to ask before running. Saves bandwidth and autorun video and other stuff and makes pages load a lot faster.
Don't be apathetic. Procrastinate!
That doesn't really work since these days you get that junk as coinstallers from download.com, filehippo, softpedia, softonic, etc. You might legitimately want to go to those sites. Although the installer itself typically accesses a web server that returns the paid deal of the day type malware options so if they were really clever, that's the address they'd block.
If Microsoft wants me to stop using IE and start using Edge, why does Skype continue to serve ads using IE? This doesn't leave me with much faith in Microsoft's "confidence" about their security.
A great news to many is that old unsecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.
I take it this also eliminates any existing ad blockers? Is there an alternative plugin mechanism that would allow for new ad blockers?
We know we got security all wrong before, but trust us, we're much better now. We've learned from our mistakes and have closed all possible security holes.
Oh, and we're also going to be standards-compliant so developers can drop all of the old Microsoft-specific CSS and JS coding.
I know many places that only wrote IE code because it was simple to plug in other MS data. I have never agreed with this mentality, but it's not always a question of developers choosing to do so. Upper management forced it to increase profits.
The simple fact is that MS sold itself to the devil attempting to monopolize the market. The whole point of IE has been to make it so easy to access other MS data that nobody could compete, no matter the security implications (anyone else remember active installer?). Thankfully other Browsers didn't give up, and people did eventually get fed up with the pathetic security in IE. Just not before a hell of a lot of damage was done.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Are those lyrics for a Steely Dan song?
Within 7 days of this browser getting released we will hear of wild exploits circulating for it.
I am Bennett Haselton! I am Bennett Haselton!
Doesn't anyone watch classic movies anymore? And they said that line TWICE.
...but isn't this the equivalent of going over to a bunch of kids on the playground and saying "That new kid over there said he could beat up each and every one of you! With one hand tied behind his back!"
What I'm wondering is: who paid to have this on /.'s front page so that armies of geekdom are mobilized to find all the new, Edgy exploits?
Did rebranding IE12 into "Edge" include the browser identification string? Are there any signs of the app is still essentially a new version of IE.
I doubt they started completely from scratch and with different staff than IE 11...
A new app name doesn't make this any different than 11 was from 10... so is it really more significant? or is this just merely a rebranding from the trusted MS marketing department.
Democracy Now! - uncensored, anti-establishment news
The browser can only be as secure as the underlying Operating System. Unless you mix browser and OS code so well that a) the OS relies on the browser for 'security' and b) it's impossible to totally remove the browser without breaking OS functionality or as in the case of Windows msOffice won't work without the presence of iExplorer.
Nobody is using it yet!
There's a good Wikipedia page that breaks down the usage shares of web browsers, along with addressing the difficulties and complications of getting accurate data on this. https://en.wikipedia.org/wiki/... is the page. From there you can see that the best IE can get is in some of the stats and only when counting purely desktop browsing. Net Applications has IE at nearly 58%. Yet, almost every other measure finds them woefully behind. For example, visits to Wikipedia in March 2015 have IE at less than 11%. StatsCounter has them at less than 20% of desktop browser share from April 2015 to now, with Chrome at nearly 53% and Firefox nipping at IE's heels at 18%.
For my own part, I look after a company website that's oriented towards industrial computer applications, and the industry in question is very Microsoft centric. And yet, looking at the last 30 days, Chrome has 58% of sessions, IE only 25%, Firefox 6% and Safari 5% (all others are
I remember sigs. Oh, a simpler time!
Microsoft isn't new to the software business. Why weren't these features built into IE from day one?