Web Browser Security: From Netscape Navigator to Microsoft Edge

 

The Internet has become an intrinsic part of our everyday life, both if you are interested in the threats it poses from a cybersecurity point of view or if you are only enjoying the many advantages it offers. Not so long ago though, you had to be a visionary to imagine the power it was going to hold in the future. Microsoft wanted to get into the browser game as soon as possible after Netscape Communications Corporation became the web browser industry leader, a little after the release of its flagship browser, Netscape Navigator, in October 1994.

 

Soon after, Microsoft licensed from Spyglass Inc. the Mosaic software that would be furtherly used as the basis for the first version of Internet Explorer. Spyglass was an Internet software company founded by students at the Illinois Supercomputing Center that managed to develop one of the earliest browsers for navigating the web. They waited an entire year to go public after they began distributing their software and making up to $7 million out of it, which happened exactly on this day, 25 years ago.

 

Microsoft developed the functionality of the Internet Explorer browser and embedded it in the core Windows operating system for the better part of the last 25 years. They are still providing to this day the old Windows Internet Explorer 11 (latest supported version) with security patches, but they are replacing it on the newer operating systems with their own Microsoft Edge browser, which in turn, they are replacing this year with a brand new Microsoft Edge browser. Confusing, right? The main difference between the old Edge browser and the new Edge browser is that the latter is based on Google’s Ghromium web engine and has nothing to do with Microsoft’s old code-base.

 

But until the new Edge browser will be the default choice on Microsoft OS’s, let’s take a look at the current Edge browser and his relationship with the old Internet Explorer.

The already „old” Microsoft Edge has more in common with Internet Explorer than you might think especially when it comes to security flaws.

 

Given that the number of vulnerabilities found in Edge is far below Internet Explorer, it’s reasonable to say Edge looks like a more secure browser. But is Edge really more secure than Internet Explorer?

According to a Microsoft blog post from 2015, the software giant’s Edge browser, an exclusive for Windows 10, is said to have been designed to “defend users from increasingly sophisticated and prevalent attacks.”

 

In doing that, Edge scrapped older, insecure, or flawed plugins or frameworks, like ActiveX or Browser Helper Objects. That already helped cut a number of possible drive-by attacks traditionally used by hackers. EdgeHTML, which powers Edge’s rendering engine, is a fork of Trident, which still powers Internet Explorer.

 

However, it’s not clear how much of Edge’s code is still based off old Internet Explorer code.

When asked, Microsoft did not give much away. They said that “Edge shares a universal code base across all form factors without the legacy add-on architecture of Internet Explorer. Designed from scratch, Microsoft does selectively share some code between Edge and Internet Explorer, where it makes sense to do so.”

 

Many security researchers are saying that overlapping libraries are where you get vulnerabilities that aren’t specific to either browser, because when you’re working on a project as large as a major web browser, it’s highly unlikely that you would throw out all the project specific code and the underlying APIs that support it. There are a lot of APIs that the web browser uses that will still be common between the browsers. If you load Microsoft Edge and Internet Explorer on a system, you will notice that both of them load a number of overlapping DLLs.

 

The big question is how much of that Internet Explorer code remains in Edge, and crucially, if any of that code has any connection to the overlap of flaws found in both browsers that poses a risk to Edge users.

The bottom line is that it’s hard, if not impossible to say if a browser is more or less secure than another browser.

 

A “critical” patch, which fixes the most severe of vulnerabilities, is a moving scale and has to consider the details of the flaw, as well as if it’s being exploited by attackers. With an unpredictable number of flaws found each month coupled with their severity ratings, a browser’s security worth can vary month by month.

 

As history showed us, in the last 5 years the Edge browser had no fewer than 615 security vulnerabilities and Internet Explorer almost doubles that – 1030.

 

Microsoft’s decision to adopt the Chromium open-source code to power its new Edge browser could mean a sooner-than-expected end of support for Internet Explorer and the end of support for the shared code-base with the „old” Edge browser. And that’s a good thing for the security of users that are only using the browser provided by the operating system itself (7.76% – Microsoft Edge, 5.45% – Internet Explorer as of April 2020).