Microsoft Edge Super Duper Secure Mode removes a major Javascript feature

JC Torres - Aug 5, 2021, 9:47pm CDT
Microsoft Edge Super Duper Secure Mode removes a major Javascript feature

Javascript is a programming language that’s loved and reviled in equal measures. Often seen as a powerful and complex beast, it has enabled many rich experiences on the Web that wouldn’t have been possible with HTML and CSS only. It has, however, also given rise to many bugs and exploits that put people at risk. Microsoft Edge developers are now looking into what it calls a “Super Duper Secure Mode” that disables one major Javascript feature that almost all web browsers use for increased performance at the expense of security.

Javascript is what is called an interpreted language where the computer, or web browser, in this case, goes over each line in the code and executes it before moving on to the next line. That’s a rather simplistic explanation, of course, but it should already hint at how comparatively slow it can be compared to a program that has already been compiled into a binary form that the computer’s CPU directly understands.

That is where the Javascript JIT or Just-in-Time compiler comes in, which is now a standard feature in almost all Javascript engines used by web browsers, including Chromium’s V8 engine. This compiles Javascript code just as it is about to be used, making its execution faster. Unfortunately, security researchers also blame half of the Chrome exploits out in the wild on bugs in this JIT.

Microsoft’s planned solution is to simply remove that JIT from the V8 engine that the Edge browser will use. Contrary to expectations, the developers’ discovered that there wasn’t a significant impact on performance without the Javascript JIT. There were even some improvements, but, admittedly, there were also regressions as well.

This Microsoft Edge “Super Duper Secure Mode,” however, is still in its early phases of research and development and will most likely adopt a more business-friendly name closer to its first stable release. The researchers also hope that, by removing the Javascript JIT from the picture, they will also be able to implement more advanced exploit mitigations that weren’t possible with JIT hanging around.


Must Read Bits & Bytes