But it also means that all kinds of harm in the browser are possible. Norman cites data suggesting that 45% of the CVEs issued for the V8 were related to its JIT engine.
Norman argues that these days JIT doesn’t make a huge difference to browser performance. He also points out that the presence of the V8’s JIT precludes the use of alternative attenuations.
Microsoft will therefore try to create what it calls “Super Duper security mode” for Edge, by disabling JIT and possibly adding other security mitigations, namely Controlflow-Enforcement Technology (CET) and Arbitrary Code Guard and Control Flow Guard.
Click to enlarge
“Super Duper Security Mode” is already available. Type
edge://flags/#edge-enable-super-duper-secure-mode in Edge and the browser provides a long list of its security checks so you can see what you will be missing if you decide to join the Microsoft experience.
“This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome,” Norman wrote. “Plus, our tongue-in-cheek name will probably have to change to something more professional when we launch as a feature. For now, we’ll keep having fun with it.”
A more “professional” name (read: less goofy) might be a good thing. Or maybe not.
Despite being built into over a billion machines running Windows 10 – which includes rather pushy nagware encouraging browser use – Edge only has a 3.41% market share according to statcounter Global Stats. A funny name like “Super Duper Safety Mode” might make more of a difference to users than hard-to-appreciate changes in safety plumbing. ®