We're all anxiously awaiting the day that Windows 10's new Edge browser becomes usable. That hasn't happened yet, but it will some day next year. Microsoft Edge should represent a huge improvement in browser security, particularly when compared with the ancient, creaking, and leaky Internet Explorer. Recent events, though, have me wondering if Edge really represents that big of a step forward.
Back in May, Microsoft Edge senior program manager Crispin Cowan made some bold predictions in the blog post Microsoft Edge: Building a safer browser. In the blog, Cowan assured us that:
With Microsoft Edge, we want to fundamentally improve security over existing browsers and enable users to confidently experience the web from Windows. We have designed Microsoft Edge to defend users from increasingly sophisticated and prevalent attacks.
The article goes on at length to describe how Edge will be better than the bad, old IE, "including industry-leading sandboxing, compiler, and memory management techniques developed in close partnership with Windows."
In particular, we are promised that Edge will do a better job defending against malicious websites and fake sites; will bid farewell to ActiveX, VB Script, Toolbars, BHOs and VMLs; and will have secure extensions, app container sandboxing, MemGC garbage collection to protect against user-after-free attacks, Visual Studio's Control Flow Guard, and many other advanced technologies.
But looking at yesterday's Patch Tuesday announcement and the one for November has me wondering how much of this improved security is new bananas -- and how much is built on a rotten old foundation.
The reason for my skepticism: Common Vulnerabilities and Exposures (CVEs). Each CVE entry is supposed to identify a unique security hole. The overlap between Internet Explorer CVEs and Edge CVEs shows that many security problems in IE have been inherited by Edge.
For example, yesterday Microsoft released MS15-124, a cumulative update for Internet Explorer, alongside MS15-125, an analogous patch for Microsoft Edge. Out of the 15 CVE holes plugged in Edge, 11 of those same holes were also plugged in IE. Looking back at November's Patch Tuesday, all four of the CVEs fixed by Edge's MS15-113 were also identified as fixed problems with IE's MS15-112.
That's not a coincidence.
I took a look at the official CVE list for Edge and compared it with the similar list for Internet Explorer. There are 14 identified CVEs for Microsoft Edge. Of those, 13 are also identified security holes for Internet Explorer.
Clearly, Edge improves security in a broad number of areas. But you have to wonder how much of the old IE rough edges will continue to show through.