Microsoft Fortifies Windows 10’s Edge Browser Against Binary Injection
Back in May of this year, Microsoft announced that Edge wouldn't support certain legacy technologies found in Internet Explorer, including ActiveX, VBScript, Browser Helper Objects (BHOs), and other things that could be exploited. That decision not only allowed Microsoft to build a more secure browser in Edge, but it also offer users a faster and more stable browsing experience than IE.
Now Microsoft is taking things a step further with EdgeHTML 13, its first platform update for Edge, which Windows Insiders have been previewing for the last few months.
"Starting with EdgeHTML 13, Microsoft Edge defends the user’s browsing experience by blocking injection of DLLs into the browser unless they are Windows components or signed device drivers," Microsoft explained in a blog post. "DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked.
By allowing Microsoft-signed and WHQL-signed DLLs to get through, Microsoft can continue to offer its own set of features and device drivers for things like a webcam, while still keeping the browser secure by restricting access to unsigned DLLs. It also leaves the door open for the bad guys to barge in by spoofing signatures, which Microsoft admits is a possibility.
"While requiring DLLs to be signed is not a silver bullet—there’s no such thing in browser security—it adds substantially to the sophistication and expense required to attempt to target Microsoft Edge users," Microsoft added. "We continue to investigate further ways to thwart code injection into Microsoft Edge."
The EdgeHTML 13 upgrade is being pushed out with the latest automatic updates to Windows 10.