Microsoft Edge browser and the new attack surface
Syn Cubes narrows down an introspective into Microsoft's stunning move of launching its new Edge browser to millions of Microsoft Windows 10 users via Windows Update. Microsoft's new Edge browser is based on the Chromium engine, which is the same as the leading competitor browser, Chrome.
Syn Cubes - November 1, 2020
CONTEXT
While you browse, isn’t it infuriating to see pop-ups appear on the screen asking permission to send notifications about similar articles? Well, sometimes too many pop-ups make users leave the website. Realized this, Microsoft has risen with a new feature to its Edge browser that will hide these notification pop up prompts for every users’ good. The best thing is not only to stop annoying pop-ups but also it helps block them from scam sites.
Another pretty cool feature is – automatic profile switching. This makes it easier to separate work and personal browsing. To help users get mixed up with more than one profile, the browser will prompt to switch profiles without the user having to authenticate. Especially, this makes things much easier for those working from home during COVID-19.
“We hope that this will help you keep your work and personal data separate and help you get to your work content more seamlessly,” said Avi Vaid, Microsoft Edge program manager.
And, that is not all. Microsoft is testing on a new feature called ‘SmartScreen’ that stops users from visiting insecure websites or downloading from malicious files. Well, this will be a good security move too. As many of us continue to work from home, with all these features, the new Edge will certainly come in handy.
Let’s have a look at Privacy and security aspects
It is true that both Edge and Chrome-based on the same chromium browser, so they both have a similar appeal. To people who are trying to avoid google products or prefer more Microsoft products, Edge may be the best choice as it has some cool security credentials too. But in another way, none of these security features have proven on the privacy front.
But Chrome, being a well-experienced browser, already aware of most of the security challenges it faces. They also have introduced new security features over past pandemic duration including enhancements for managing cookies, safety checks, Safer browsing, and Secure DNS. So, about security, Edge is still a concern.
One of the key features of the new Edge browser from Microsoft is its ability to add extensions from the Chrome Web Store, just like other Chromium-based browsers. Because of this, Edge is now closer to Chrome than ever before and can tap into Chrome’s vast library of extensions. Chrome has more than 180,000 extensions, and many users get them in the browser for things like blocking ads, checking grammar, managing passwords, managing multiple Gmail accounts, translating text in other languages, and collapsing tabs into a list for later use. But the openness of extensions begins a new door to malware, spyware, cryptocurrency miners, Facebook account hijackers, and other bad extensions. In simple words, the problem with browser extensions is that so many of them are spying on users, inserting ads into their browser, or doing all sorts of other evil things.
Being the mature one here, Google’s Chrome is already taken steps to fix these issues. Last month Google also removed four malicious extensions from the Chrome Web Store that had been installed by 500,000 Chrome users. (Tung, 2018) As for the new Microsoft Edge browser, still users do not know how things will go on.
"Users must be able to trust the extensions they install are safe, privacy-preserving, and performant," said James Wagner, Chrome's extensions product manager, in a blog post.
However, in the first few months after New Edge’s release, If someone using the new Edge browser tries to add extensions from the Chrome Web Store, a message will pop up saying that Google “recommends switching to Chrome to use extensions securely.” According to PCWorld, simply trying to install a Chrome extension via the Chrome Web Store requires navigating through several warnings, from both Google and Microsoft, about where to go to install an extension. The confusion and frustration this no doubt creates with users reflects poorly on both sides.
To make sure the safe use of Microsoft’s new Edge and its plethora of extensions through chromium engine, you can check into the source code yourself. As for company use, it is best to do a security source code review of those before allowing them to be used by the users. Every extension that you install on your computer is constructed out of a special zip file that contains files and folders of JavaScript code and other resources. The great thing is that you can investigate the source code of an extension and see what it is doing. A secure code review is a specialized task involving manual or/and automated review of an application's source code to identify security-related weaknesses in the code. A secure code review does not attempt to identify every issue in the code but instead looks to provide insight into what types of problems exist and to help the developers of the application understand what classes of issues are present.
As windows replace the legacy version of Microsoft Edge on Windows 10 PCs, now people start experiencing the new browse. With all that we hear now, impressions can be summed up as good. Over time, Edge will be defined by its convenience, and how well it works its way into the desktop and smartphones as well. Convenience, ubiquity, and moderate power make the new Edge a solid if somewhat uninspiring browser right now. If nothing else, the new Edge will be worth checking out, as it stares at you from your PC’s taskbar.(Hachman, 2020)
HOW WE CAN HELP
At Syn Cubes, assessing the source code aiming to detect security holes is a day-to-day activity. We managed so far to have removed more than a dozen of malicious extensions from the Google store.
As a company, if you need you to maintain your library of approved browser extensions up to date and have trust you are using malicious free source code, get in touch with us. We will take care of this hard job for you.
REFERENCES
Hachman, M., 2020. Microsoft's new Edge review: Microsoft's Chromium-based browser gets the job done.
- https://www.pcworld.com/article/3513995/microsoft-new-edge-review-chromium-based-web-browser.htm
Hachman, M., 2020. Update: Google and Microsoft are scaring consumers over Edge extensions, and for what?.
- https://www.pcworld.com/article/3528753/google-and-microsoft-are-killing-the-new-edge-browser-with-scare-tactics-over-extensions.html;
Hendrikx, M., 2014. How to view the source code of a chrome extension.
- https://www.howtogeek.com/198964/HOW-TO-VIEW-THE-SOURCE-CODE-OF-A-CHROME-EXTENSION/
Microsoft Edge and the new attack surface
According to the Forbes article, the new Edge has already jumped to the number two position over other browsers. Microsoft’s Edge was the replacement for good old Internet explorer in 2015. In 2020, their new Edge is released as a bigger and better version with a bunch of cool features that will bring Microsoft Edge on the same level with Google’s Chrome as the browser wars break out.
'Expect the unexpected' - AnonymousLet us have a look through new Edge’s features
While you browse, isn’t it infuriating to see pop-ups appear on the screen asking permission to send notifications about similar articles? Well, sometimes too many pop-ups make users leave the website. Realized this, Microsoft has risen with a new feature to its Edge browser that will hide these notification pop up prompts for every users’ good. The best thing is not only to stop annoying pop-ups but also it helps block them from scam sites.
Another pretty cool feature is – automatic profile switching. This makes it easier to separate work and personal browsing. To help users get mixed up with more than one profile, the browser will prompt to switch profiles without the user having to authenticate. Especially, this makes things much easier for those working from home during COVID-19.
“We hope that this will help you keep your work and personal data separate and help you get to your work content more seamlessly,” said Avi Vaid, Microsoft Edge program manager.
And, that is not all. Microsoft is testing on a new feature called ‘SmartScreen’ that stops users from visiting insecure websites or downloading from malicious files. Well, this will be a good security move too. As many of us continue to work from home, with all these features, the new Edge will certainly come in handy.
Let’s have a look at Privacy and security aspects
It is true that both Edge and Chrome-based on the same chromium browser, so they both have a similar appeal. To people who are trying to avoid google products or prefer more Microsoft products, Edge may be the best choice as it has some cool security credentials too. But in another way, none of these security features have proven on the privacy front.
But Chrome, being a well-experienced browser, already aware of most of the security challenges it faces. They also have introduced new security features over past pandemic duration including enhancements for managing cookies, safety checks, Safer browsing, and Secure DNS. So, about security, Edge is still a concern.
One of the key features of the new Edge browser from Microsoft is its ability to add extensions from the Chrome Web Store, just like other Chromium-based browsers. Because of this, Edge is now closer to Chrome than ever before and can tap into Chrome’s vast library of extensions. Chrome has more than 180,000 extensions, and many users get them in the browser for things like blocking ads, checking grammar, managing passwords, managing multiple Gmail accounts, translating text in other languages, and collapsing tabs into a list for later use. But the openness of extensions begins a new door to malware, spyware, cryptocurrency miners, Facebook account hijackers, and other bad extensions. In simple words, the problem with browser extensions is that so many of them are spying on users, inserting ads into their browser, or doing all sorts of other evil things.
Being the mature one here, Google’s Chrome is already taken steps to fix these issues. Last month Google also removed four malicious extensions from the Chrome Web Store that had been installed by 500,000 Chrome users. (Tung, 2018) As for the new Microsoft Edge browser, still users do not know how things will go on.
"Users must be able to trust the extensions they install are safe, privacy-preserving, and performant," said James Wagner, Chrome's extensions product manager, in a blog post.
However, in the first few months after New Edge’s release, If someone using the new Edge browser tries to add extensions from the Chrome Web Store, a message will pop up saying that Google “recommends switching to Chrome to use extensions securely.” According to PCWorld, simply trying to install a Chrome extension via the Chrome Web Store requires navigating through several warnings, from both Google and Microsoft, about where to go to install an extension. The confusion and frustration this no doubt creates with users reflects poorly on both sides.
To make sure the safe use of Microsoft’s new Edge and its plethora of extensions through chromium engine, you can check into the source code yourself. As for company use, it is best to do a security source code review of those before allowing them to be used by the users. Every extension that you install on your computer is constructed out of a special zip file that contains files and folders of JavaScript code and other resources. The great thing is that you can investigate the source code of an extension and see what it is doing. A secure code review is a specialized task involving manual or/and automated review of an application's source code to identify security-related weaknesses in the code. A secure code review does not attempt to identify every issue in the code but instead looks to provide insight into what types of problems exist and to help the developers of the application understand what classes of issues are present.
As windows replace the legacy version of Microsoft Edge on Windows 10 PCs, now people start experiencing the new browse. With all that we hear now, impressions can be summed up as good. Over time, Edge will be defined by its convenience, and how well it works its way into the desktop and smartphones as well. Convenience, ubiquity, and moderate power make the new Edge a solid if somewhat uninspiring browser right now. If nothing else, the new Edge will be worth checking out, as it stares at you from your PC’s taskbar.(Hachman, 2020)
HOW WE CAN HELP
At Syn Cubes, assessing the source code aiming to detect security holes is a day-to-day activity. We managed so far to have removed more than a dozen of malicious extensions from the Google store.
As a company, if you need you to maintain your library of approved browser extensions up to date and have trust you are using malicious free source code, get in touch with us. We will take care of this hard job for you.
REFERENCES
Hachman, M., 2020. Microsoft's new Edge review: Microsoft's Chromium-based browser gets the job done.
- https://www.pcworld.com/article/3513995/microsoft-new-edge-review-chromium-based-web-browser.htm
Hachman, M., 2020. Update: Google and Microsoft are scaring consumers over Edge extensions, and for what?.
- https://www.pcworld.com/article/3528753/google-and-microsoft-are-killing-the-new-edge-browser-with-scare-tactics-over-extensions.html;
Hendrikx, M., 2014. How to view the source code of a chrome extension.
- https://www.howtogeek.com/198964/HOW-TO-VIEW-THE-SOURCE-CODE-OF-A-CHROME-EXTENSION/