Microsoft silently enables ‘Super Duper Secure Mode’ for Edge
Microsoft last week secretly added a security feature in its Edge web browser that allows users to sacrifice the browser's performance for improved security.
Announced in August this year, the feature is named Super Duper Secure Mode and was in Edge v96.0.1054.29, released last Friday on November 19, according to Johnathan Norman, Microsoft Edge Vulnerability Research Lead.
Under the hood, the feature works by allowing users to disable support for an Edge component named the JIT (Just-In-Time) compiler, a toolkit that compiles JavaScript code into machine code ahead of time in order to speed up the browser.
While the feature was initially designed to improve website loading speeds and to help with complex and dynamic websites, the feature has recently been a whirlpool of security flaws.
As the Edge team explained in a blog post in August, the JIT compiler has been the source of 45% of all security vulnerabilities discovered in Edge's browser engine and at the source of half the zero-days exploited in Chromium browsers since 2019.
Super Duper Secure Mode lets users disable JIT compilation by going in Edge's settings section, at edge://settings/privacy, and flipping a switch.
Two options are provided, Balanced, which disables JIT on new sites that the user doesn't usually visit, and Strict, which disables JIT on all sites at once.
Currently, Super Duper Secure Mode just disables JIT, but Norman said in August that other security features will be added to this umbrella security option, such as adding support in Edge for MiraclePtr, Controlflow-Enforcement Technology (CET), and Arbitrary Code Guard (ACG)
"I'm really excited to see what impact we have here. Although for it really to matter, we will need SDSM enabled by default," Norman tweeted on Monday.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.