In their annual security report ESET has praised Microsoft for finally securing their browser by default, resulting in no active exploits in the wild.
“From our point of view this situation with Edge was predictable, because, unlike IE11, Edge keeps modern security features turned on by default, including the AppContainer full process for sandbox and 64-bit processes for tabs,” the report says.
Internet Explorer had 109 known vulnerabilities, with 3 being exploited in the wild. Edge had 11, with none in the wild.
They note that the Edge browser finally purges Microsoft’s official browser from code which was written in the nineties when Microsoft was more security naive, and removed a range of interrelated vulnerabilities found in earlier versions of Windows.
“The two most common types of exploit attacks in the Windows world are Remote Code Execution (RCE) and Local Privilege Escalation (LPE). The first is used by attackers to penetrate a system and the second to obtain maximum privileges on that system. In fact, RCE exploits are commonly used to target vulnerabilities in web browsers with the intention of downloading and running malicious executables – such attacks are called drive-by downloads.”
Microsoft’s Windows 10 Enhanced Mitigation Experience Toolkit (EMET) features Attack Surface Reduction (ASR) and Microsoft has also worked to block other attack vectors to the OS.
In the latest OS builds Microsoft now blocks Adobe’s Flash by default, and prevents infected drivers by demanding that drivers be tested by and digitally signed by Microsoft, and also prevents infected firmware by using secure boot.
ESET concluded by saying: “Obviously, the use of a modern up-to-date Windows version, e.g. Windows 10 with the latest updates, is the best approach to being protected from cyber attacks exploiting vulnerabilities. As we have shown above and in previous versions of this report, its components contain useful security features for mitigating RCE and LPE exploits. We can say that actions taken by Microsoft to make modern versions of Internet Explorer more secure were insufficient because so-called advanced security settings that are built into Edge are still optional in IE.”
Microsoft’s effort to secure the OS has resulted in hackers moving on to other targets, such as routers and network cameras, meaning users need to remain vigilant, but if they move to the latest version of Windows they will have one less thing to worry about.