November 17th, 2015
In May, we announced that Microsoft Edge was saying goodbye to binary extensibility models such as ActiveX and Browser Helper Objects. This change made browsing in Windows faster, more secure, and more stable than ever, while paving the way for better interoperability with other browsers and modern extension models. Those improvements are at risk, however, if uninvited extensions in the form of DLLs (Dynamic-Link Library) are injected into the browser. The latest Windows 10 updates strengthen Microsoft Edge with industry-leading enforcement against loading unauthorized DLLs into Microsoft Edge content processes.
What is the problem?
Web browsers are an attractive target, because in-browser advertisements can be a significant source of revenue. If someone can replace or even add to the advertisements the user sees, they can redirect that cash flow. Because some programs seek to change user settings without the user’s consent, Microsoft Edge is hardened to protect user settings (including protecting search results and other web content from third party injection). Developers who are determined to tamper with the user’s settings may resort to injecting DLLs into the Edge process, bypassing the built-in interfaces for settings controls.
This is a common reason why some users end up with toolbars installed or third party content injected on pages without their intent or consent. These uninvited additions can degrade the performance, stability, and security of the browser, and hence become a problem for the user. An attack on a web browser begins with a memory corruption of some kind that allows the attacker to take control of the browser. Once they have a toehold, they pull in more and more of their attack software, and set about changing what the user’s PC does—from being for their benefit to being malicious. However, that initial hole is often very small, so it is common for an attacker to download a DLL of their code and just load it into the victim process. The attacker is trying to colonize the browser, and loading DLLs provides the attacker with a handy cargo pallet full of supplies. Blocking unauthorized DLL injection makes browser exploits more difficult and more expensive for attackers to carry out.
Blocking unwelcome code injection with Module Code Integrity
Starting with EdgeHTML 13, Microsoft Edge defends the user’s browsing experience by blocking injection of DLLs into the browser unless they are Windows components or signed device drivers. DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked. “Microsoft-signed” allows for Edge components, Windows components, and other Microsoft-supplied features to be loaded. WHQL (Windows Hardware Quality Lab) signed DLLs are device drivers for things like the webcam, some of which need to run in-process in Edge to work. For ordinary use, users should not notice any difference in Microsoft Edge.
Code integrity enforcement can be done in the process, or in the kernel. Enforcement in the process is only useful if the threat model is that the process is not yet compromised, because if it has been compromised, then the hacked process can just disable the code integrity check for itself. Microsoft Edge uses enforcement in the kernel, which is robust against a compromised process, so that even a pernicious ad injector cannot turn off the code integrity check. With the browser process model and the Windows kernel helping each other in this way, Microsoft Edge becomes the first and only PC browser with library content integrity protection.
While requiring DLLs to be signed is not a silver bullet—there’s no such thing in browser security—it adds substantially to the sophistication and expense required to attempt to target Microsoft Edge users. We continue to investigate further ways to thwart code injection into Microsoft Edge.
This change arrives as part of EdgeHTML 13, which is included with the latest automatic updates to Windows 10. Like many other Microsoft Edge security enhancements, this DLL code signing mitigation will make it less likely for the browser to be hacked. It also reinforces Microsoft Edge against unwelcome binary “extensions” that slow down and or destabilize the browser. This unwanted software is often unstable and can crash the browser session, in addition to potentially polluting web pages with unwanted content or malicious search results.
We introduced this change to the Windows Insider Program with build 10547, and we have already seen tremendous results. From a sample of about 65,000 Windows Insider users of 10547, module code integrity protected 2704 users from attempts to load adware and malware. Additionally, by preventing software vendors from taking dependencies on the internal binary bits of the browser, we preserve the agility of Microsoft Edge to rapidly innovate, and deliver our users the most modern web browsing experience possible.
We are committed to continuing to reinforce Microsoft Edge against malicious and unwanted content, and are hard at work delivering an extension model that will serve these principles. We look forward to sharing more on that front soon—in the meantime, let us know what you think in the comments below or @MSEdgeDev on Twitter.
– Crispin Cowan, Senior Program Manager, Microsoft Edge