Microsoft Is Confident In Security of Edge Browser

jones_supa writes: It's no secret that Internet Explorer has always been criticized for its poor security, so with the Edge web browser (previously known as Spartan), Microsoft is trying to tackle this problem more effectively and make sure that users consider it at least as good as Chrome and Firefox. In a blog post, Microsoft details the security enhancements available in Edge, pointing out that most of the changes it made to the new browser make it much more secure than Internet Explorer. There is more protection against trickery, app containers are used as the sandbox mechanism, and protection against memory corruption is better. Old, insecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.

How hard will this break Corp Intranet apps?

[disposable60]

So all those corporate intranet apps that stupidly require IE - how hard will Edge break those?

Re:How hard will this break Corp Intranet apps?

[Shados]

hard enough that IE11 will still be supported for a while in parallel.

Thats the whole point of Edge. So that Microsoft can have a real browser without leaving the big corps legacy shit behind.

Re:How hard will this break Corp Intranet apps?

Which is why you wont use edge, you will use the legacy support version that they are also shipping. They are essentially splitting IE into two browsers, one for locked down, legacy, corporate use, and one for normal users.

Re: How hard will this break Corp Intranet apps?

[Voyager529]

Very. It's why they're including internet explorer as a separate application. Edge isn't intended to run IE specific applications.

Re:How hard will this break Corp Intranet apps?

At least we won't have to retrain all the users! "Yeah, yeah, just click on the 'E' to go the the Internet. What? It looks a little different this year? Oh, that's because Al Gore changed the icon in his latest patch. Don't worry about it."

Re:How hard will this break Corp Intranet apps?

[peragrin]

Why were you stupid enough to write apps that only ever worked in IE to begin with?

Don't blame microsoft for your stupidity. We have enough to blame Microsoft for that is legitimately their fault.

Re:How hard will this break Corp Intranet apps?

[MachineShedFred]

Write against a vendor locked-in API, get vendor locked-in.

Re:How hard will this break Corp Intranet apps?

[drakaan]

If only I had mod points. I write .net web apps all the time, and for businesses, and I test in IE *last* because first and foremost, I want it to work in the future, which means for mostly-standards-compliant browsers. Writing IE-specific code is an extremely bad plan. Not all browsers are running on windows desktops or laptops.

Re: How hard will this break Corp Intranet apps?

Very. It's why they're including internet explorer as a separate application. Edge isn't intended to run IE specific applications.

I'd say it's pretty clear that the only real thing Microsoft is confident in, is that users will actually USE the Edge solution.

That's a cute assumption you've got there. Good luck with that.

Re:How hard will this break Corp Intranet apps?

[thedonger]

Don't worry, a few days after release we will find that all the old crap can be turned on with registry tweak. Microsoft never writes new programs. They are just polishing a turd as usual.

Either way, I have seen so many low-power, corporate users switch to Chrome in the last couple years that I doubt Edge will get the market share typically enjoyed by IE. After all, it was the masses not willing to be early adopters of Firefox, Chrome, or Opera that kept IE in the forefront. Once legacy business apps that require IE (probably 8/9 with a smattering of 7 and 10) disappear or are converted, Edge will just be another browser. And "IE" usage stats won't prop it up because as a browser it will necessarily be a separate usage group from preceding versions.

Re: How hard will this break Corp Intranet apps?

[VTBlue]

Not true. Microsoft has thought this scenario true thoroughly. Corporations can configure Windows to only launch IE whitelisted domains or sites. This way organizations can default to Edge for general usage while whitelisting legacy apps or apps that have legacy headers.

Re: How hard will this break Corp Intranet apps?

So, all I have to do in order to break these systems is to include the legacy compatibility headers? Then users who think they're using Edge will actually use IE 11? Fantastic.

Re:How hard will this break Corp Intranet apps?

[sycodon]

Some of us have to write .net in the environment provided and using the rules provided. In the case of my major defense company employer, that is VS/SQLServer/.NET/IE only.

Re:How hard will this break Corp Intranet apps?

[praxis]

In an earlier post, you blamed Microsoft, with your comment "You stupid Fuckers, Microsoft", for the headache they've caused you with their ecosystem. Your blame is misplaced, though. It is the fault of your authorities, who selected that ecosystem, and yourself, for agreeing to use that ecosystem. It's common knowledge that when you give control over your platform to another company, you accept the risk that the platform no longer suits your needs in the future.

Your options are to accept the change and rewrite your applications with the new Microsoft system, or if you are to rewrite it anyhow, to choose an ecosystem that has a wider support network than one vendor.

Re: How hard will this break Corp Intranet apps?

[LordLimecat]

Im pretty sure you cant control user-side GPOs or IE settings from a HTML header.

Re:How hard will this break Corp Intranet apps?

[lgw]

IE is still my favorite browser - I like it's UI. It's all subjective.

Not sure where you'd get an overall picture of "browsers surfing", but the stats I've seen have IE at just over half (all versions combined), followed by Chrome, with FF just hanging onto a respectable share.

Talk the talk, but doesn't walk the walk...

[QuietLagoon]

Microsoft always talks big about security, but time shows that it is just talk.

.
Remember when Microsoft declared the buffer overflow bugs were eliminated from Windows XP?

Re:Talk the talk, but doesn't walk the walk...

[gstoddart]

The problem is that new code is just that ... new and untested.

So you build something new from scratch and say "wow, we did awesome at teh security". Well, OK, now you release it into the wild and wait for people to abuse it -- that's when you find out how well you've done.

Any new code is going to have the problem, because it hasn't been field tested or through several iterations.

It's all well and good for Microsoft to say "nailed it". That doesn't make it true. So I think it's probably safe to assume that unless Microsoft has done something remarkable, there's probably a bunch of places where they haven't fully locked it down.

Secure?

[afidel]

They support WebGL which is going to be the next attack vector as well as continuing to support flash with sandboxing that the hackers will tear to shreds in short order.

Re:The first edition

[Whiteox]

Any modern browser is good enough IF their UI is usable. What makes I.E. and perhaps Edge last in line is the pathetic amount of add-ons and plug-ins. Last time I looked there was less than 10. The other unmentionable is the UI. The clean look trades off functionality. Why bury common functions? What's the point?

This is project proposal V 1.0.

[140Mandak262Jamuna]

A great news to many is that old unsecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit

This looks like what the dev team presented to the upper management about what it wants to do. It will undergo several iterations. Some powerful customer will demand some interface to be supported or else... Some managers will insist on some form of backward compatibility mode. Some bing! advertisement people would ask for "special" interfaces to their team to let them "leverage" & "synergy" and other buzzword bingo stuff. There will be compromises. Some managers will insist with straight face, "yes, yes, this scripting interface is supported, but we say very clearly in the documentation it is not to be used for fresh code and it is to be used only for backward compatibility reasons, so it is not a security threat".

Finally they will be wondering why security was compromised, and blame it on the open source zealots and prejudice among the uninformed and marketing by competitors and assure themselves "it is not our fault, we did not do anything wrong".

Re:This is project proposal V 1.0.

[afidel]

Some powerful customer will demand some interface to be supported or else

No, they're shipping IE11 with enterprise compatibility mode to support back to IE8 quirks which will be fine for 99+% of their customers for legacy apps. Trust me, most of their customers are going to be happy to have a standards compliant browser as the default, the only trick will be in the mechanism to kick user over when they try to go to a corporate site that needs classic IE within Edge and keeping that mechanism from being abused by the bad guys.

Possibilities

[Ol+Olsoc]

Microsoft is always confident.

But as a long time hater of Redmond products, am I sensing some sort of sea change?

It's just within the realm of possibilities that the Ballmer days of "When I want your opinion, I'll tell you what it is," are over? In more than just name?

I intend to give them a chance here, maybe its the same old Microsoft. Maybe not.

Re:The first edition

[Ark42]

Except it's really effectively Trident 8.0 / IE 12. Only, they forked it and removed all the legacy support from it, then left a copy of Trident 7.0 / IE 11 around in case you need legacy support still. So it's not really the first version of anything, and it's not like it's completely from-scratch code.

Re: BHO?

[jo7hs2]

Browser helper object. http://en.wikipedia.org/wiki/B...

I'm taking bets.

[Rhinobird]

I'm taking bets that the first exploit of the Edge browser will be call "Bleeding Edge"