Microsoft Edge adds Super Duper Secure Mode to disable the JIT engine

Earlier, the Microsoft browser team stated that the JIT engine has many vulnerabilities. For example, among all the security vulnerabilities found in the V8 engine and the WebAssembly engine, the JIT engine-related accounted for up to 45%. If the JIT engine can be disabled, half of the V8 engine vulnerabilities can be solved to improve security.

For this reason, the Microsoft Edge unveils Super Duper Secure Mode. When this security mode is enabled, the JIT engine will be automatically disabled. Of course, it is unrealistic for Microsoft to completely disable the JIT engine in a short period of time. Microsoft’s current approach is for users to choose and then test and gradually collect data for optimization.

In Microsoft Edge v96.0.1054.34, users can go to Setting => Privacy, search, and services option to find the “Enable security mitigations for a more secure browser experience” option. After enabling, the balance mode will be used by default, and only the rarely visited websites will be disabled with the JIT engine to ensure safety while avoiding performance degradation of other websites. If strict mode is enabled, all websites will disable the JIT engine, which may cause some websites to fail to work as expected.

The super safe mode disables the JIT engine to prevent attackers from inducing users to visit and exploit unknown security vulnerabilities in Chromium through phishing websites, etc. At the same time, Microsoft uses Intel Controlflow-Enforcement Technology (CET), which is a hardware-based vulnerability exploit defense technology that can provide a safer browsing experience.

Microsoft said that after enabling the Super Duper Secure Mode, half of the exploited vulnerabilities can be reduced, and the remaining exploits will be more difficult to exploit. In the future, the Super Duper Secure Mode will also include support for arbitrary code protection. This is another security protection mode that can prevent attackers from loading malicious code into memory. This is the current exploit technology for most browser vulnerabilities.

In addition, Microsoft is also working on bringing these features to the Microsoft Edge browser for Android and macOS.