hmmm, the cve database shows Edge with 104 code execution bugs for 2017. Chrome has 4 for the same period.
For information leaks Edge shows 19 for 2017, chrome at 10.
Of course maybe Edge's techniques are good and other browsers should adopt them but at least looking at the CVE database it does not seem like Edge is doing a very good job at being secure.
This article seems to be focused on what happens when that number is non-zero, whether 4 or 104. Given a bug, how to ensure that an exploiter does not gain privileged access?
So yeah, Edge clearly has a way to go in patching holes, but CVE count is not the entire story, either.
Most vulnerabilities are listed as: "allows an attacker to execute arbitrary code in the context of the current user". So it would seem that Edge is good at preventing elevated privileges.
However, I don't care at all about elevated privileges. If a bug in my browser allows code executing, that means that code is executing with my privileges. So all my data is already at risk. And my data is basically the only thing that's important. Becoming part of a botnet or the propagator of virusses is annoying at worst. Ransomware or my data leaking out is infinitely worse.
And Edge seems to exceptionally horrible at preventing code execution. Perhaps their security team should focus on that for a bit.
I couldn't agree more. In fact I run browsers as separate users to prevent direct access to my data, although they still have access to my X server and could dangerously tamper with other clients.
Edge seems to be less secure by any objective measure: CVE count, Pwn2Own contests, audits, etc.
So far I'd say it's pretty clear the stronger isolation model works better than the multiple-mitigation techniques model, even though Edge actually has some relatively strong sandboxing, too, which makes the ineffectiveness of its mitigation mechanisms even worse.
Also, as they say in this post, Google is already developing an even stronger isolation model that would have prevented this type of attack. It's just not fully tested and enabled yet.
Finally, Google seems to dedicate more people for patching Chrome, or at least it has a system that fixes bugs much faster than Microsoft does in Windows. One of Edge's main weaknesses is that it essentially works as a part of Windows, not as a third-party app. This is something I've criticized them for since when they first announced Edge and said this was a mistake precisely because of this reason, of being tied to Windows updates, and thus slower to improve.
I don't really care about the part where they're supposed to wait for Google to fix it or whatever. I don't know the details for this, but I believe Google waits on some bugs for 90 days and on some highly-critical ones, like bugs being exploited in the wild only 7 days. But I suppose that's also a pretty arbitrary number, so I don't know if I should be upset at Microsoft for releasing the bug sooner than that.
All in all, it's actually pretty cool that Microsoft and Google are attacking each others' products like this. It keeps both on their toes, at least I would hope it does. I just wanted to point out that Microsoft is being rather misleading in this post when it's implying that Edge's model has better security. Chrome's security is not bulletproof but it seems to have proven itself to be quite good so far.
It's also why I was hoping Mozilla wouldn't make those "best of both worlds" compromises between sandboxing and saving 30% memory. Is saving 30% memory worth having your browser twice as exploitable? Maybe it won't be that exploitable, so we'll see. Firefox may also be able to make up for the weaker sandboxing with the Rust rewrites, but only time will tell.
> Also, as they say in this post, Google is already developing an even stronger isolation model that would have prevented this type of attack. It's just not fully tested and enabled yet.
Note that Site Isolation has to run every origin in a separate process to be maximally effective, which nobody has demonstrated a feasible way to do at scale yet. The plan as I understand it is to run just "high-value sites" in separate processes.
> It's also why I was hoping Mozilla wouldn't make those "best of both worlds" compromises between sandboxing and saving 30% memory. Is saving 30% memory worth having your browser twice as exploitable? Maybe it won't be that exploitable, so we'll see. Firefox may also be able to make up for the weaker sandboxing with the Rust rewrites, but only time will tell.
Where did you get the idea that Firefox is not committed to strong sandboxing?
For information leaks Edge shows 19 for 2017, chrome at 10.
Of course maybe Edge's techniques are good and other browsers should adopt them but at least looking at the CVE database it does not seem like Edge is doing a very good job at being secure.
http://www.cvedetails.com/product/32367/Microsoft-Edge.html?...
http://www.cvedetails.com/product/15031/Google-Chrome.html?v...