Google+ With Edge inheriting one-quarter of Internet Explorer's flaws, is it any more secure? By Zack Whittaker for Zero Day ~ High Tech House Calls
Expert Computer Consulting for Homes and Small Businesses

Let there be hope...

Life has changed there is no doubt and we wanted to reach out to see how you are doing.

As we go through this interesting time, we are trying to look at this as an opportunity to focus on our family and on friends like you. Let us use this extra time to catch up and talk more. Let us cook food that is not fast, but interesting and satisfying. Let us learn to enjoy a time to try new things. Let us find ways to enjoy time at home!

Computer Security

If my client base is any experience, anyone can be a victim of a Ransomware, Malware or Virus attack.

What can you do about it?

I conduct audits of your entire computer infrastructure and apply best practice solutions to plug the security holes on your computers, Smartphones and networks.

Now offering consultations to give you the best protection possible:


404.229.0839
carlthorne@hthcatlanta.com

Jack of All Trades, Master of Many

Jack of All Trades, and Master of Many

We provide technical support for:


Homes and small businesses

Windows and the Mac OS platform

iPhones and Android Smartphones

Wireless and wired networks

New device setup

Old device upgrade or repair

One-on-one training

Remote assistance


How To Stop Malware

Sunday, January 3, 2016

With Edge inheriting one-quarter of Internet Explorer's flaws, is it any more secure? By Zack Whittaker for Zero Day

Microsoft Edge, the company's new browser, has more in common with Internet Explorer than you might think -- especially when it comes to security flaws.

An analysis of the last five-months' worth of monthly software updates shows that Edge had 25 vulnerabilities shared with versions of Internet Explorer, which had a total of 100 vulnerabilities.
For a surprisingly high number of laggards, it's time to upgrade or face a world of hurt.
Earlier this month on its scheduled Patch Tuesday update offering, Microsoft released MS15-124, a cumulative update for Internet Explorer, and MS15-125, a near-identical patch for Edge. Of the 15 flaws patched in Internet Explorer, 11 of those were also patched in Edge.

Four additional bugs in December's monthly update list were unique to Edge, and did not affect Internet Explorer.

December saw the highest number of patched vulnerabilities since Edge was released in Windows 10 earlier this year.

With a quarter of all IE bugs affecting Edge, at least one commentator questioned if Edge was built on a "rotten old foundation." Given that the number of vulnerabilities found in Edge is far below Internet Explorer, it's reasonable to say Edge looks like a more secure browser. But is Edge really more secure than Internet Explorer?

According to a Microsoft blog post earlier this year, the software giant's newest browser, an exclusive for Windows 10, is said to have been designed to "defend users from increasingly sophisticated and prevalent attacks."

In doing that, Edge scrapped older, insecure, or flawed plugins or frameworks, like ActiveX or Browser Helper Objects. That already helped to cut a number of possible drive-by attacks traditionally used by attackers. EdgeHTML, which powers Edge's rendering engine, is a fork of Trident, which still powers Internet Explorer.

However, it's not clear how much of Edge's code is still based off old Internet Explorer code.
When asked, Microsoft did not give much away. In a statement that we snipped for clarity, a spokesperson said:

"Edge shares a universal code base across all form factors without the legacy add-on architecture of Internet Explorer. Designed from scratch, Microsoft does selectively share some code between Edge and Internet Explorer, where it makes sense to do so."

Tyler Reguly, manager of security research and development at security firm Tripwire, explained in an email that overlapping libraries are where you get vulnerabilities that aren't specific to either browser.

"When you're working on a project as large as a major web browser, it's highly unlikely that you would throw out all the project specific code and the underlying APIs that support it, there's bound to be overlap in these situations," he said.

All too often, security patches are breaking the devices they set out to protect,
"There are a lot of APIs that the web browser will use that will still be common between the browsers. If you load Microsoft Edge and Internet Explorer on a system, you will notice that both of them load a number of overlapping DLLs," he said.

Dan Caselden, manager of research science at FireEye, said if the same bug is patched between the two browsers, it's typically because of shared code.

"A few here and there could be because of the same error introduced into two different implementations -- such as a design level flaw," said Caselden, "but I'd wager that occurs infrequently."

The big question is how much of that Internet Explorer code remains in Edge, and crucially, if any of that code has any connection to the overlap of flaws found in both browsers that poses a risk to Edge users.

The bottom line is that it's hard, if not impossible to say if browsers are more or less secure than another.

A "critical" patch, which fixes the most severe of vulnerabilities, is a moving scale, has to consider the details of the flaw, as well as if it's being exploited by attackers. With an unpredictable number of flaws found each month coupled with their severity ratings, a browser's security worth can vary month by month.

Older versions of Internet Explorer will be retired by mid-January, giving millions of users about a month to upgrade to Internet Explorer 11, or to Edge on Windows 10.