Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Microsoft

Microsoft Is Confident In Security of Edge Browser 133

jones_supa writes: It's no secret that Internet Explorer has always been criticized for its poor security, so with the Edge web browser (previously known as Spartan), Microsoft is trying to tackle this problem more effectively and make sure that users consider it at least as good as Chrome and Firefox. In a blog post, Microsoft details the security enhancements available in Edge, pointing out that most of the changes it made to the new browser make it much more secure than Internet Explorer. There is more protection against trickery, app containers are used as the sandbox mechanism, and protection against memory corruption is better. Old, insecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.
This discussion has been archived. No new comments can be posted.

Microsoft Is Confident In Security of Edge Browser

Comments Filter:
  • by disposable60 ( 735022 ) on Tuesday May 12, 2015 @08:44AM (#49672685) Journal

    So all those corporate intranet apps that stupidly require IE - how hard will Edge break those?

    • by Shados ( 741919 ) on Tuesday May 12, 2015 @08:53AM (#49672755)

      hard enough that IE11 will still be supported for a while in parallel.

      Thats the whole point of Edge. So that Microsoft can have a real browser without leaving the big corps legacy shit behind.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Which is why you wont use edge, you will use the legacy support version that they are also shipping. They are essentially splitting IE into two browsers, one for locked down, legacy, corporate use, and one for normal users.

    • Very. It's why they're including internet explorer as a separate application. Edge isn't intended to run IE specific applications.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Very. It's why they're including internet explorer as a separate application. Edge isn't intended to run IE specific applications.

        I'd say it's pretty clear that the only real thing Microsoft is confident in, is that users will actually USE the Edge solution.

        That's a cute assumption you've got there. Good luck with that.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      At least we won't have to retrain all the users! "Yeah, yeah, just click on the 'E' to go the the Internet. What? It looks a little different this year? Oh, that's because Al Gore changed the icon in his latest patch. Don't worry about it."

    • Re: (Score:1, Troll)

      by sycodon ( 149926 )

      I really look forward to rewriting the 30-40 corporate .NET apps (That only ever worked in IE).

      Yeah...IIIIII Love it!

      You stupid Fuckers, Microsoft.

      • by peragrin ( 659227 ) on Tuesday May 12, 2015 @09:17AM (#49672973)

        Why were you stupid enough to write apps that only ever worked in IE to begin with?

        Don't blame microsoft for your stupidity. We have enough to blame Microsoft for that is legitimately their fault.

        • by drakaan ( 688386 ) on Tuesday May 12, 2015 @09:26AM (#49673031) Homepage Journal
          If only I had mod points. I write .net web apps all the time, and for businesses, and I test in IE *last* because first and foremost, I want it to work in the future, which means for mostly-standards-compliant browsers. Writing IE-specific code is an extremely bad plan. Not all browsers are running on windows desktops or laptops.
          • Re: (Score:2, Informative)

            I would even suggest that IE is just a minority of browsers surfing the net these days. Every time I use IE, I wonder how anyone considers it useful. Just yesterday, I saw a very interesting rendering bug in IE (I have to use it for testing) on a website. Apart from being slow and clumsy, it is still that buggy.

            • by lgw ( 121541 )

              IE is still my favorite browser - I like it's UI. It's all subjective.

              Not sure where you'd get an overall picture of "browsers surfing", but the stats I've seen have IE at just over half (all versions combined), followed by Chrome, with FF just hanging onto a respectable share.

              • There's a good Wikipedia page that breaks down the usage shares of web browsers, along with addressing the difficulties and complications of getting accurate data on this. https://en.wikipedia.org/wiki/... [wikipedia.org] is the page. From there you can see that the best IE can get is in some of the stats and only when counting purely desktop browsing. Net Applications has IE at nearly 58%. Yet, almost every other measure finds them woefully behind. For example, visits to Wikipedia in March 2015 have IE at less than 11%. S

          • by sycodon ( 149926 ) on Tuesday May 12, 2015 @10:16AM (#49673395)

            Some of us have to write .net in the environment provided and using the rules provided. In the case of my major defense company employer, that is VS/SQLServer/.NET/IE only.

            • If you really know HTML/Javascript for your client side code, it will work in other browsers anyway. It's only bad coding that works in IE only. If you used ActiveX client side, that's a security problem that I would think a major defense company would have already eliminated.

          • I know many places that only wrote IE code because it was simple to plug in other MS data. I have never agreed with this mentality, but it's not always a question of developers choosing to do so. Upper management forced it to increase profits.

            The simple fact is that MS sold itself to the devil attempting to monopolize the market. The whole point of IE has been to make it so easy to access other MS data that nobody could compete, no matter the security implications (anyone else remember active installer?)

      • by MachineShedFred ( 621896 ) on Tuesday May 12, 2015 @09:26AM (#49673029) Journal

        Write against a vendor locked-in API, get vendor locked-in.

      • Re: (Score:2, Flamebait)

        by mwvdlee ( 775178 )

        Serves you right for deliberately making incompatible apps.
        The world has known about the evil of IE-only apps well before .NET existed.

        • by sycodon ( 149926 )

          I have passed on your comments to my several levels of managers and the several teams of software architects/DBA/Quality people in my 100 billion plus market cap company.

          • I have passed on your comments to my several levels of managers and the several teams of software architects/DBA/Quality people in my 100 billion plus market cap company.

            The appeal to authority and the appeal to popularity in the same comment! You could have been more fallacious, but you would have had to work at it.

            • by sycodon ( 149926 )

              It's is an acknowledgement of the authority that pays me and provides the tools and environment I have to code in.

              Some of us actually have jobs, managers, etc.

              • by praxis ( 19962 )

                In an earlier post, you blamed Microsoft, with your comment "You stupid Fuckers, Microsoft", for the headache they've caused you with their ecosystem. Your blame is misplaced, though. It is the fault of your authorities, who selected that ecosystem, and yourself, for agreeing to use that ecosystem. It's common knowledge that when you give control over your platform to another company, you accept the risk that the platform no longer suits your needs in the future.

                Your options are to accept the change and rew

                • by sycodon ( 149926 )

                  You are right. I should have told my managers they are idiots and that the last 10 years of efforts by hundreds of employees is shit and should be abandoned.

                  What world do you live in?

                  • by praxis ( 19962 )

                    One where you express your concerns tactfully, then when your superiors make a decision you either accept it and adapt or don't accept it and find new superiors. In both cases, you take responsibility for the choice *you* made.

                    Either you agreed with them it was the right thing you do, in which case you don't blame Microsoft for changing their platform that you signed up to use, or you disagree with them and find a job that does things differently.

                    I'm not saying you made the wrong choice here. I'm saying tha

      • by Anonymous Coward

        What in the actual hell is wrong with your dev team that they so incompetently bypassed all of the browsercaps stuff built into ASP.NET? I've been a .NET developer for close to 10 years, and I've never had to even think about which browser needed to access any web applications I've made. They've all worked OOTB with every major browser. (The only exception I can remember was that the very early versions of the AJAX extensions had some issues with Safari. But that was, at the time, an optional external libra

      • Wait, you wrote stuff for .NET and you can't port it to other platforms?

        Have you ever heard of design paradigms?

        • It's server-side code anyway. The client side should only ever be receiving HTML/Javascript. And if your HTML/Javascript is so bad that it only worked in one browser (worst of all IE-only), there's no hope for you.

        • Re: (Score:2, Informative)

          by sycodon ( 149926 )

          Have you ever heard of a company that has specified tools, legacy tools, requirements that are given to you and that you must adhere to? I have, I work for one. They have tons of code and intranet sites written specifically for how IE works.

          • Sounds like management backed the wrong horse.
            • Sounds like management backed the wrong donkey.

              Fixed your post.

            • by sycodon ( 149926 )

              I'm beginning to think not many of you have worked in a very large defense company where code is audited and certified.

              Tools, code snippets, etc are written, tested, undergo a security audit and then certified for use. If MS changes the way something works, Single Sign on for instance, then that code has to be retested and re-certified. There are no Cowboys here and every last change is backed with paperwork and multiple signatures.

              We have an infrastructure built up over years that is tightly integrated wi

          • There is nothing in .NET that requires you to write bad code that only works in IE. NONE AT ALL.

    • About as hard as a 14 year old getting bored, then getting curious.
  • by Anonymous Coward

    of ANYTHING should be assumed to be insecure.

    That's a whole lotta new code that nobody with a less-than-white hat on has had a crack at.

    Don't get me wrong - I'm glad they're using more practices that are in line with best security practices for browsers, and are removing some obvious attack vectors by sandboxing off code execution. But you'd be foolish to assume that they've got everything right the first time.

    • by Whiteox ( 919863 )

      Any modern browser is good enough IF their UI is usable. What makes I.E. and perhaps Edge last in line is the pathetic amount of add-ons and plug-ins. Last time I looked there was less than 10. The other unmentionable is the UI. The clean look trades off functionality. Why bury common functions? What's the point?

    • by Ark42 ( 522144 ) <slashdot@morpheu s s o f t w a r e . net> on Tuesday May 12, 2015 @09:09AM (#49672893) Homepage

      Except it's really effectively Trident 8.0 / IE 12. Only, they forked it and removed all the legacy support from it, then left a copy of Trident 7.0 / IE 11 around in case you need legacy support still. So it's not really the first version of anything, and it's not like it's completely from-scratch code.

      • So you're saying that they ripped out all the legacy shit that old IE-only apps (and malware) relied upon, and now they're blowing the trumpets about how secure they are?

        I guess I'd be impressed if they got to a reasonable level of security without breaking every legacy app that they convinced people to write against their leaky web APIs.

        • by Ark42 ( 522144 )

          If you write to HTML5/CSS3 standards, any web app written in the last few years can easily target IE9+ and work on Firefox/Chrome/Edge with no issues. It's only people who rely on huge bloated frameworks to provide backwards compatibility with IE6 that have issues with their stuff suddenly not working on IE10 or IE11.

          Basically, right now, everybody needs to drop IE8 support, and you can pretty much stop using jQuery and modernizer and all that other cruft. If you drop IE9 support (which is really only Vista

  • by QuietLagoon ( 813062 ) on Tuesday May 12, 2015 @08:51AM (#49672731)
    Microsoft always talks big about security, but time shows that it is just talk.

    .
    Remember when Microsoft declared the buffer overflow bugs were eliminated from Windows XP [theregister.co.uk]?

    • by gstoddart ( 321705 ) on Tuesday May 12, 2015 @09:14AM (#49672945) Homepage

      The problem is that new code is just that ... new and untested.

      So you build something new from scratch and say "wow, we did awesome at teh security". Well, OK, now you release it into the wild and wait for people to abuse it -- that's when you find out how well you've done.

      Any new code is going to have the problem, because it hasn't been field tested or through several iterations.

      It's all well and good for Microsoft to say "nailed it". That doesn't make it true. So I think it's probably safe to assume that unless Microsoft has done something remarkable, there's probably a bunch of places where they haven't fully locked it down.

      • ...It's all well and good for Microsoft to say "nailed it". That doesn't make it true....

        Bingo!

        .
        And that's why I provided substantiation to show that Microsoft is often over-confident when it comes to such pronouncements.

    • So you reference an article that's ten years old?

      Not for nothing, and while there are plenty of ways to have insecurity in an OS... I think Microsoft's history especially as of late has been pretty good on that front. IE11 is a bastardized product and while I like the rendering engine because of how smooth it is and low memory, the browser is useless for me. If Edge can maintain that memory footprint, the smoothness, and add better HTML5 compatibility + extensions... I will give it a shot.

      • So you reference an article that's ten years old?...

        Yes. The article's true. An oldie but a goodie.

        .
        Given all the recent problems with Windows Update, and that Microsoft wants to use home users as beta test sites for future Windows Updates, I would think the 10 year old article is pretty close to reality nowadays.

    • by SQLGuru ( 980662 )

      Linux and Apple also used to talk about how secure they were......until they weren't. The only secure computer is one that's never been turned on.

  • Secure? (Score:5, Informative)

    by afidel ( 530433 ) on Tuesday May 12, 2015 @08:52AM (#49672743)

    They support WebGL which is going to be the next attack vector as well as continuing to support flash with sandboxing that the hackers will tear to shreds in short order.

  • by 140Mandak262Jamuna ( 970587 ) on Tuesday May 12, 2015 @08:58AM (#49672813) Journal

    A great news to many is that old unsecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit

    This looks like what the dev team presented to the upper management about what it wants to do. It will undergo several iterations. Some powerful customer will demand some interface to be supported or else... Some managers will insist on some form of backward compatibility mode. Some bing! advertisement people would ask for "special" interfaces to their team to let them "leverage" & "synergy" and other buzzword bingo stuff. There will be compromises. Some managers will insist with straight face, "yes, yes, this scripting interface is supported, but we say very clearly in the documentation it is not to be used for fresh code and it is to be used only for backward compatibility reasons, so it is not a security threat".

    Finally they will be wondering why security was compromised, and blame it on the open source zealots and prejudice among the uninformed and marketing by competitors and assure themselves "it is not our fault, we did not do anything wrong".

    • by afidel ( 530433 ) on Tuesday May 12, 2015 @09:15AM (#49672947)

      Some powerful customer will demand some interface to be supported or else

      No, they're shipping IE11 with enterprise compatibility mode to support back to IE8 quirks which will be fine for 99+% of their customers for legacy apps. Trust me, most of their customers are going to be happy to have a standards compliant browser as the default, the only trick will be in the mechanism to kick user over when they try to go to a corporate site that needs classic IE within Edge and keeping that mechanism from being abused by the bad guys.

  • Possibilities (Score:5, Interesting)

    by Ol Olsoc ( 1175323 ) on Tuesday May 12, 2015 @08:59AM (#49672823)
    Microsoft is always confident.

    But as a long time hater of Redmond products, am I sensing some sort of sea change?

    It's just within the realm of possibilities that the Ballmer days of "When I want your opinion, I'll tell you what it is," are over? In more than just name?

    I intend to give them a chance here, maybe its the same old Microsoft. Maybe not.

    • by afidel ( 530433 )

      It's just within the realm of possibilities that the Ballmer days of "When I want your opinion, I'll tell you what it is," are over? In more than just name?

      I'm not sure about that, they had a good start menu implementation early in the windows 10 tech preview and managed to mess it up and haven't listened to anyone who has told them that the new shrunken start screen alternative in the newer builds is crap so I don't think that part has changed that much. There are other positive changes happening at MS,

    • Re: (Score:2, Insightful)

      by phantomfive ( 622387 )

      I intend to give them a chance here, maybe its the same old Microsoft. Maybe not.

      At best, Microsoft is a corporation, whose entire purpose is to make money. What sort of chance is worth giving them?

      • At best, Microsoft is a corporation, whose entire purpose is to make money. What sort of chance is worth giving them?

        There's always the chance that they will, to the same extent as other software companies, deliver what they promise.

        I know, I know, I can't stop laughing either.

      • I would say that 'good business' is when you make a transaction and both parties walk away satisfied. It's not easy but I think it is possible for a corporation to be run that way.

    • by Anonymous Coward

      A corporation is a corporation is a corporation. The CEO is just the face of it. Yeah, it's kinda nice not having SB in our faces, but other than that, MS still wants to lock in as many customer and developer bases as it can. So do all of its major competitors, including the open source ones.

    • by Dunbal ( 464142 ) *
      Yeah now it's Satya Nadella saying "if something goes wrong with your system it's just your bad karma [forbes.com]". A cute way of saying that if your Windows box gets pwned, well what exactly where you doing/clicking on/browsing, you naughty little scamp?
  • So, are they admitting that their interest is not in making a secure browser, but one that the users consider to be secure? With that attitude, failure is not an option, it is a certainty.

  • by Anonymous Coward

    Big deal. When was the last time you heard a company say they *didn't* have confidence in the security of their product? It's like parents saying their kids are beautiful, even if said offspring has a face like a stepped-on cowpatty.

  • Here's the solution that nobody apparently has the balls to implement. Have a blacklist of common malicious adware plugins then block them all. That'd put Perion out of business really quickly. It's soooo obvious and common even a human can compile the list. Here, I'll start. Maps Galaxy. Babylon. Various youtube auto HD fake plugins. Anything with the word "coupon" on it. Shop at home toolbar. We Care. There, I just eliminated practically half the browser malware in the world with my 60 second b
    • Here's the solution that nobody apparently has the balls to implement. Have a blacklist of common malicious adware plugins then block them all.

      I know someone who makes a blacklist of the sites from which these "common malicious adware plugins" are served. He distributes this blacklist as a configuration file that your computer administrator can place in the etc folder. Once the file is installed, your machine will try to access 0.0.0.0 instead of the malware distribution site, which causes the malware to not get downloaded.

      Learn more about blacklisting malware sites [pineight.com]

      • by Whiteox ( 919863 )

        Looky here. Hosts file mods are ok, but when it becomes too unwieldy it slows the crap out of any browser and blocks sites you really want to see. Blocking 3rd party sites sometimes makes the parent page not work.
        So far add block is the only solution and setting that up on IE is a pain and quite flaky so unless Edge has something familiar, I can't and won't use it.
        The other recommendation is to get all flash requests to ask before running. Saves bandwidth and autorun video and other stuff and makes pages lo

      • That doesn't really work since these days you get that junk as coinstallers from download.com, filehippo, softpedia, softonic, etc. You might legitimately want to go to those sites. Although the installer itself typically accesses a web server that returns the paid deal of the day type malware options so if they were really clever, that's the address they'd block.
  • So Chrome offers great speed, stability, and separate processes per tab and Firefox has a huge selection of add-ons. But Microsoft has done very little to divulge what Edge has to offer to differentiate itself from the other browsers and become more than just the best browser to download Chrome or Firefox.
  • It was cooler when it was project Spartan

    • They did better than I expected. I thought they'd repeat what they did with their word processor and call it "Browser".

  • by Rhinobird ( 151521 ) on Tuesday May 12, 2015 @09:55AM (#49673241) Homepage

    I'm taking bets that the first exploit of the Edge browser will be call "Bleeding Edge"

  • "any person can invent a security system so clever that she or he can't think of how to break it."

    Here is the problem... If you only allow a few thousand people to look at your source code, and fully test your product, then you only have to design security clever enough to evade the efforts of a thousand people.

    In order for something to be secure, it needs to be widely published, and universally assaulted.
  • If Microsoft wants me to stop using IE and start using Edge, why does Skype continue to serve ads using IE? This doesn't leave me with much faith in Microsoft's "confidence" about their security.
    • Did rebranding IE12 into "Edge" include the browser identification string? Are there any signs of the app is still essentially a new version of IE.

      I doubt they started completely from scratch and with different staff than IE 11...

      A new app name doesn't make this any different than 11 was from 10... so is it really more significant? or is this just merely a rebranding from the trusted MS marketing department.

      • by Ark42 ( 522144 )

        As far as I know, it is IE 12 (Trident 8.0), but they consider it a fork, which means technically you can have different features and support in Edge 1.0 and a future hypothetical actual IE 12. Mostly what they did was *remove* all kinds of backwards compatibility stuff from Edge, so that you can't trigger IE10/9/8/7/5 (yes, 6 was not a choice) rendering modes anymore. You can't use VBScript, ActiveX, and all kinds of other non-standard stuff. IE10+ is already a pretty decent modern browser, very much on pa

  • A great news to many is that old unsecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.

    I take it this also eliminates any existing ad blockers? Is there an alternative plugin mechanism that would allow for new ad blockers?

  • We know we got security all wrong before, but trust us, we're much better now. We've learned from our mistakes and have closed all possible security holes.

    Oh, and we're also going to be standards-compliant so developers can drop all of the old Microsoft-specific CSS and JS coding.

  • Within 7 days of this browser getting released we will hear of wild exploits circulating for it.
  • Doesn't anyone watch classic movies anymore? And they said that line TWICE.

  • ...but isn't this the equivalent of going over to a bunch of kids on the playground and saying "That new kid over there said he could beat up each and every one of you! With one hand tied behind his back!"

    What I'm wondering is: who paid to have this on /.'s front page so that armies of geekdom are mobilized to find all the new, Edgy exploits?

  • The browser can only be as secure as the underlying Operating System. Unless you mix browser and OS code so well that a) the OS relies on the browser for 'security' and b) it's impossible to totally remove the browser without breaking OS functionality or as in the case of Windows msOffice won't work without the presence of iExplorer.
  • Nobody is using it yet!

  • Microsoft isn't new to the software business. Why weren't these features built into IE from day one?

To stay youthful, stay useful.

Working...