Microsoft Edge introduces new security risks in Windows 10
The Internet Explorer replacement Microsoft Edge is one of the headline features of Windows 10. With security at the heart of Microsoft's latest operating system, and the general concern about online safety, it makes sense to put the web browser under the microscope to see how it fares against the competition.
This is exactly what security analysts at Trend Labs have done. While the team concedes that Microsoft Edge beats Firefox's security and roughly draws level with Chrome's, the new web browser also introduces new security problems and threat vectors.
Of particular concern for the security experts is the integration of PDF reader and Adobe Flash plugins. With the historic and on-going security concerns with Flash, Trend Labs suggests that Microsoft Edge could have a problem on its hands:
While we believe that users and sites should move away from it, the reality is that for the foreseeable future Flash won’t go away yet. Attacks targeting Flash will continue to be a problem, and having it as a built-in feature may pose risks down the road.
The windows.data.pdf.dll module is singled out as worrisome, but Trend Labs points out that Chrome and Firefox have both managed to remain relatively secure after integrating plugins. Microsoft Edge's ability to receive patches through Windows Update works in its favor, however.
It is known that Chrome and Firefox extensions can be used by Microsoft Edge with relatively little modification, but other details have not been made clear. These extensions will run in the AppContainer sandbox, but sandbox escape vulnerabilities can be used to evade this. In addition, the threat of malicious extensions cannot be ruled out – either they may be malicious from the start, or a legitimate extension can be modified with an update to become malicious.
In all, Edge was found to have reached 'security parity' with Chrome, while managing to outpace Firefox.