Figure 1. asm.js flow chartIn other browsers, asm.js support has led to security problems. At 2015's annual Pwn2Own competition, a vulnerability (CVE-2015-0817) in the Mozilla Firefox implementation of asm.js was used to successfully "own" that browser. Therefore, we cannot rule out the possibility that it could be a source of vulnerabilities in Microsoft Edge as well. New Extension Model Microsoft Edge will introduce improved extension support sometime after the launch of Windows 10. It is known that Chrome and Firefox extensions can be used by Microsoft Edge with relatively little modification, but other details have not been made clear. These extensions will run in the AppContainer sandbox, but sandbox escape vulnerabilities can be used to evade this. In addition, the of malicious extensions cannot be ruled out - either they may be malicious from the start, or a legitimate extension can be modified with an update to become malicious. However, the version of Edge that will be launched with Windows 10 does not have support for extensions yet. Browser Security Comparison The following tables compare the various features, protections, and attack surfaces of various browsers.
Figure 2. Exploit mitigation features (Edge versus IE 11)Although IE 11 supports the EPM sandbox, by default it only uses the PM sandbox. The IE 11 rendering process is also, by default, 32-bit.
Figure 3. Attack surfaces
Figure 4. Exploit mitigation features (major browsers)Summary Microsoft Edge represents a clear improvement compared to Internet Explorer 11. Specifically, the improved sandbox and exploit mitigation techniques make exploiting Edge more difficult than its predecessor. In addition, the dropping of unused legacy features reduces the possible attack vectors into the browser. Overall, we believe that Edge has reached a security parity with the Google Chrome browser, with both markedly superior to Mozilla Firefox. However, multiple attack surfaces still remain which can be used by an attacker. Given the sophistication and demands on modern browsers, this may well be inevitable.