Edge gets mode that disables JIT engine for better security

Microsoft gives Edge a so-called “Super Duper Secure” mode that can disable certain parts of the Javascript engine to make the browser more secure. The developers say it’s an experiment to see if they can better secure the browser with it.

The new mode was created by Microsoft’s Vulnerability Research team. Users turning on Super Duper Secure mode disables Just-In-Time compilation or JIT in the V8 Javascript engine. According to the researchers, nearly half of the browser vulnerabilities in V8 JavaScript and WebAssembly are exploited through the JIT engine. With the new mode, the browser is therefore expected to become much less vulnerable.

The makers wonder whether the extra speed that JIT creates is worth keeping the browser so vulnerable. “For users, disabling means less frequent security updates and fewer emergency patches,” the makers say. They call emergency patches ‘a common frustration for users’. In addition, there would be other benefits to disabling the JIT engine. For example, technologies such as Intel’s Controlflow-Enforcement Technology could be enabled. That hardware-based exploit mitigation technique does not work well with JIT, the developers say.

The developers want to look into the possibility of disabling JIT without making performance much worse. In practice, this loss of performance seems to be not too bad. In a laboratory setting, turning it off ‘wouldn’t always have a negative impact’. The developers emphasize that this is a test for now, and that they would like to hear the experience of users. Users can manually enable the flag in the browser via edge://flags/#edge-enable-super-duper-secure-mode.