In the official blog, the Microsoft Browser Vulnerability Research team details a new flag for Microsoft Edge called "Super-Duper Secure Mode." It intends to improve Edge's security by disabling JIT (Just-in-Time) compilation in the V8 JavaScript engine. Microsoft says bugs in JavaScript inside modern browsers are the most common vector for attackers. According to CVE data from 2019, approximately 45% of attacks on V8 relate to JIT. Disabling that component makes Microsoft Edge more secure and harder to crack. Also, "Super-Duper Secure Mode" includes additional security measures and mitigations.
JIT (also known as "speculative optimization") was introduced in 2008 as a performance tool to speed up JavaScript scenarios. It makes the browsing experience snappier and faster by precompiling JavaScript code before a browser needs it. Unfortunately, that complex mechanism offers performance improvements at a security cost. Microsoft claims it is possible to fix half of the bugs in the V8 engine by disabling JIT. Also, according to Mozilla, more than half of all existing Chrome exploits abuse JIT bugs. Because most users think about performance first and often ignore security, developers are willing to take risks to make browsers snappier.
The Microsoft Browser Vulnerability Research team conducted series of tests to check how big of a performance dip the Edge browser takes with disabled JIT. Those tests include power, startup, memory, and page load trials. Because JIT is a performance-improving tool, there are some regressions. Also, JavaScript benchmarks, such as Speedometer 2.0, showed significant results decline up to 58%. Despite that, Microsoft says users do not notice performance decrease because that benchmark "tells only part of a larger story." In fact, according to the research, users rarely notice a difference in their daily use.
Microsoft does not want to disable JIT in the Edge browser right away. The company is yet to decide whether improved security is worth some performance dips, so the research team will continue evaluating factors that affect performance and use-case scenarios.
Enable Super-Duper Secure Mode in Edge
Edge Beta, Dev, and Canary now offer the Super-Duper Secure Mode flag in the edge://flags
section. You test how disabling JIT affects your browsing experience by navigating to edge://flags/edge-enable-super-duper-security-mode
and enabling Super-Duper Secure Mode.
As of now, it is just an experiment with a quirky name that Microsoft promises to change if it gets to the public release. Super-Duper Secure Mode in Edge is subject to change, and you can help Microsoft evaluate efficiency by testing it in one of the preview channels.
Learn more about Super-Duper Secure Mode in Microsoft Edge in a blog post on the official Microsoft Browser Vulnerability Research blog.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
Definitely a kiddie crap name. Well since grown up kids code these days at Microsoft, it’s expected.
I have trouble understanding the graphs. Does it say that disabling JIT decrease power consumption?
yeah, and improves security
When do you think this “Super-Duper” protection will be available for Edge Stable Edition? Thanks.
Hmm, I have no idea.
Also, it needs a better marketing name.