At the Pwn2Own event that took place this year, it was revealed that Microsoft’s Edge browser severely lacks security integrity. Microsoft Edge was found to be the most exploited and most hacked web browser. The browser was hacked a minimum of five times. The allegations were not false and hence the Redmond based tech giant seriously decided to resolve the issue as soon as possible. The company has taken a pledge to enhance the security of its browser’s sandbox.
The hacking incidents are true. Microsoft has admitted that the browser has been hacked many times despite strong security. They tried their best to protect the system but sometimes hackers sometimes hackers manage to run native CPU code on the host PC using Remote Code Execution (RCE). The Redmond based tech giant is ameliorating the Edge sandbox with the Windows 10 Creators Update, which is reportedly coming next month.
Microsoft has listed in a blog post about the new improvements being implemented in the sandbox of Microsoft Edge:
1. 100% reduction access to MUTEXes: allow a process to lock up a resource, causing hangs.
2. 90% reduction in access to WinRT and DCOM APIs: this is the large win here, dramatically reducing Microsoft 3. Edge’s attack surface against the WinRT API set.
3. 70% reduction access to events and symlinks: symlinks are especially interesting, because they are often used in creative bait & switch attacks to escape sandboxes.
4. 40% reduction in access to devices: Windows supports many device drivers, and their quality is somewhat beyond Microsoft’s control. The tuned sandbox cuts off access to any device that Microsoft Edge does not explicitly need, preventing attackers from using vulnerabilities in device drivers to escape, or from abusing the devices.
Microsoft added, “One of the most effective ways to eliminate vulnerabilities in complex applications is to minimize the amount of code that an attacker can try to find vulnerabilities in. This is often referred to as attack surface reduction and it is a key tactic in our overall strategy security. To this end, Microsoft Edge in the Creators Update of Windows 10 has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.”
The company also added that they have gone beyond their capability to ensure protection to its users. But web browsers are extremely vulnerable software and the threat tends to change from time to time.