Security is a top priority for Edge and deciding to build a new browser gave us the opportunity to take the lessons learned over many years and rethink our approach to securing the new Microsoft Browser. We knew that securing the browser is about more than just adding new features; it requires a coordinated combination of rapid response, along with constantly looking ahead for new threats and ensuring appropriate mitigations are in place to mitigate them. We needed a dedicated team of browser security experts to work alongside our developers here at Microsoft to ensure that the new Edge was the most secure browser we have ever made.
Getting up to speed on Chromium was no small task. Chromium is one of the largest open source projects in the world with over 25 million lines of code and a remarkable degree of complexity. Our friends at Chromium reached out to offer support inviting us to the Google campus to discuss ways to collaborate and improve security for all of Chromium’s users.
Our security researchers spent several months studying past vulnerabilities as well as exploit techniques, using write-ups from independent researchers, Google Project Zero, Zero Day Initiative, and others. We applied this understanding to Edge drastically changing how we work to secure the browser. At the core of this approach is using our deep understanding of offensive security to make better decisions to secure the browser.
The result of that work has benefited Edge greatly over the past year. We have seen a 93% decrease in externally found reports compared to legacy Edge and our browser remained untouched during the 2020 Pwn2Own competition.
Other users of Chromium-based browsers have benefited as well, we have reported hundreds of security vulnerabilities to the Chromium project, contributed fixes and worked with the Chromium team to improve the sandbox on Windows. We attribute much of this success to our collaboration and the openness of the security community. In that spirit we have decided to share our work with the public in the hopes that it may help others, just as we were helped when redesigning the Edge browser. This blog is a step in that direction.
Our research will primarily focus on Edge and other Chromium-based browsers but will occasionally include other targets as well. Although we are not limiting ourselves to any specific topics, we plan to share code and writeups for exploits, tools for finding bugs and share some insights into how we are working to secure Edge.
Sharing exploits with the public is a bit new for Microsoft, despite extensive internal research in the area. We continue to support responsible disclosure and intend to work within those guidelines.
Over the next few months, we will detail some of the vulnerabilities we have found so far, how we exploited them, the methods we used to identify those issues and lessons from trying to secure a complex codebase. It is our hope that, by doing so, we may play a positive role in pushing browser security forward, ensuring a safer internet for everyone.