Month after month, year after year, on each Patch Tuesday Microsoft had to release fixes for Internet Explorer. Without these patches, the browser was vulnerable to various attacks that could allow malefactors to steal personal information and execute their own nasty code inside IE. Microsoft's developers have a novel solution for that problem—give IE the axe!

Initially called Project Spartan, Microsoft Edge is the new browser for Windows 10. Nothing's perfect, but Microsoft Edge eliminates many IE features that made the previous browser so prone to exploitation. Trend Micro analyst Henry Li summarized these improvements in a blog post, and it's a great read for security wonks. But for those who wouldn't know a CVE exploit from a CVS drugstore, here's a higher-level view.

Memory Care for All

In order to accomplish anything at all on a victim's PC, malware writers must find some way to get their own code running. Viruses, Trojans, and such are relatively simple-minded solutions, easily blocked by use of any powerful antivirus utility. A much more effective (and more difficult) approach is to somehow insert the attack code inside a trusted program, and the browser is a great target.

Over the years, modern Windows features like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) have eliminated many simple techniques for injecting malicious code into programs. With easy exploits off the table, malefactors had to devise new, trickier attack modes. One in particular, called Use After Free (UAF), has been a thorn in the side of IE for years.

When any program needs to store information for a time, it allocates the necessary amount of memory, then frees it when that memory is no longer needed. In a UAF attack, the malicious code manipulates a memory block that's already been freed. Most of the time such an action would simply crash the program, but in certain situations it can result in executing arbitrary code.

Trend Micro's blog post goes into great detail on exactly how Microsoft Edge blocks UAF attacks, even to the point of illustrating the process with a flow chart. In simple terms, the browser watches about-to-be-freed memory blocks that are still linked elsewhere and simply refrains from freeing those blocks. In general, given the choice of letting malicious code execute or just crashing, Microsoft Edge will terminate the browser as rapidly as possible.

No More Toolbars
For years, Internet Explorer has offered Protected Mode, which isolates the browser's memory space from other processes, making attacks very difficult. However, common add-ins like toolbars and Browser Helper Objects (BHOs) didn't work in Protected Mode, so it was disabled by default.

Microsoft Edge solves this problem with one cut—it eliminates all support for those toolbars, BHOs, and other add-ins that don't work in Protected Mode, which is now the default operating mode. Microsoft has plans to add a Chrome-like extension model, with only pre-approved extensions permitted, but that model isn't ready yet.

Other technologies are also on the chopping block, like VBscript, ActiveX, and Java. Java, in particular, has provided the bad guys with oceans of security holes. We've been saying for years that everyone should just disable Java unless there's a very specific need for it.

Overall, Microsoft's aim has been to eliminate easy points of entry for hackers, even if it means eliminating backward compatibility and legacy features. It's an excellent aim, and I hope it succeeds. Of course, no software is perfect. Trend Micro's Li assures us that the changes will introduce new opportunities for attack, and that he'll document them when they turn up. I'll be watching for that post.