back to article Microsoft wonders if disabling just-in-time compilation of JavaScript improves browser security

Microsoft is conducting an experiment it hopes will improve browser security – by making its Edge offering worse at running JavaScript As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser – because engines like Google's …

  1. Anonymous Coward
    Anonymous Coward

    I have an easier fix...

    I configured my browser to never run JavaScript in the first place. There, security door closed, barred, & welded shut. Job done.

    1. Anonymous Coward
      Anonymous Coward

      Re: I have an easier fix...

      That's similar to how I protect myself from car crashes. I never travel in an automobile. Likewise I know I'll never get food poisoning because I've stopped eating!

      Bur seriously, if you don't run JavaScript in your browser you're not using 95% of the web. That's your choice, but your post implied that you still had a use for your browser. I guess you spend a lot of time on the wayback machine....

      1. Geez Money

        Re: I have an easier fix...

        I'm not sure how you came to this but most sites work fine or with minimal degradation without JavaScript. There are poorly written sites which fail to and some web apps genuinely need it, but for the most part not any you'd miss. HTML5 continues to narrow that gap too.

        1. Anonymous Coward
          Anonymous Coward

          Re: I have an easier fix...

          "Most sites" is not a useful description. If your banks website uses JS then you need to use JS or go the ATM or teller window. If you use the Github website you need JS.

          If you need to to route planning with a specialized interactive maps for as used by various kinds of sporting sites (hiking, bicycling), then you need JS. The same for weather, fire, and smoke maps.

          As far as the content of this article goes, JIT optimization is probably not critical to using a bank site or the Github site. JS is only barely used, and the display is nearly static.

          On the other hand, for the dynamic map related sites, JIT probably makes a huge difference.

          As it so happens, security is critical for the former (banks, Github), and not for the latter (maps). So the ability to turn off JIT per site would be a practical security feature with low user inconvenience.

          Nevertheless insecure actions can leak out from any site and go as far reading arbitrary data in OS memory (Meltdown and Spectre). If that is your criteria, then JS in a browser should never be used on a system with vulnerable information. Even running JS in a browser on dedicated separate computer isn't enough because it will be necessary to enter passwords for various sites into that browser, and those passwords can then snooped.

          An intermediate strategy would be always running a browser in a sandbox which is isolated from the main file system, the clipboard, and also from the main X screen buffer. I've actually done that out of curiosity using linux containers, but the UI was ugly. A container based system with (file system, clipboard, X buffer) isolation and with all the ugliness ironed out would be a great help. Executable in a single line `run-isolated <browser or app>`. Even if used an extra 4GB.

      2. bellcore

        Re: I have an easier fix...

        You can use addons like uMatrix/NoScript to block it by default and whitelist only specific subdomains.

        1. ecofeco Silver badge

          Re: I have an easier fix...

          This.

      3. chasil

        Android: easy fixes

        The "Bromite" browser, a Chromium fork that removes privacy-averse functionality, has the following setting:

        "Disable JIT: Improve security at the expense of performance by not compiling JavaScript to native code (requires browser restart)."

        https://www.bromite.org/

        Gee, I wonder where Microsoft came up with the idea.

        If you want focused control over JavaScript, use the "Privacy Browser" from F-Droid or Play, where it is disabled by default. A simple toggle will allow interactive code, or halt bad behavior.

        https://f-droid.org/en/packages/com.stoutner.privacybrowser.standard/

        1. Anonymous Coward
          Anonymous Coward

          Re: Android: easy fixes

          Gee, I wonder if it is so complex an idea they must have stolen it rather than it being quite simple and therefore likely lots would have the same idea.

      4. Version 1.0 Silver badge
        Unhappy

        Re: I have an easier fix...

        We hear the same viewpoint from the anti-vaxers - does "I never travel in an automobile" keep you safe when the roads are filled with cars and you walk to the shops (probably without wearing a mask)?

    2. garretmh

      Re: I have an easier fix...

      Ah yes, abstinence. “The only safe browsing is no browsing”

      1. Anonymous Coward
        Anonymous Coward

        Re: I have an easier fix...

        From a security standpoint, quite so. And unlike many other things from which one might abstain, life is a whole lot more enjoyable when you don't see what's being posted on the majority of javascript-"required" websites!

        1. Anonymous Coward
          Anonymous Coward

          Re: I have an easier fix...

          Does that include the "The Register"? All your upvotes depend upon javascript

          They were cast thanks to this

          ```

          function cast_vote(link){link.blur();if(vote_already_cast(link))return;var count=get_count(link);count.node.data=count.node.data.replace(count.value,count.value+1);link.attr('data-user-vote','true');}

          ```

          and you know about it thanks to this

          ```

          function get_count(link){var node=link.contents().filter(function(){return this.nodeType===3&&!isNaN(parseInt(this.data,10));}).get(0);if(typeof node==='undefined')return;return{'value':parseInt(node.data,10),'node':node};}

          ```

          However, "The Register" is an example of a site where JIT is absolutely not required.

          1. Anonymous Coward
            Anonymous Coward

            Re: I have an easier fix...

            > Does that include the "The Register"? All your upvotes depend upon javascript

            Nope. I have Javascript disabled on El Reg, and managed to downvote your message just fine, thanks.

    3. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Squeaky Lobster

    Might be a while before the silly name gets changed. After all it was many years before the "Squeaky Lobster" Exchange server registry value became the much more boring "Show Advanced Counters".

    https://techcommunity.microsoft.com/t5/exchange-team-blog/from-crush-to-product-documentation-the-story-of-squeaky-lobster/ba-p/604691

  3. Pascal Monett Silver badge
    FAIL

    Making Edge worse at running JavaScript

    Hey Microsoft, I've got a hint for you : integrate NoScript.

    Job done.

    1. Charlie Clark Silver badge

      Re: Making Edge worse at running JavaScript

      This isn't about Javascript per se but the potential vulnerabilities introduced by the JIT compiler. And, yes, the guy is right about this being incredibly complicated: modern compiler design for modern chips is extremely complicated.

  4. SsiethAnabuki

    Many missing the point

    I came here expecting the usual "NoScript/I disabled javascript" posts and was not disappointed. Along, of course, with the "If yoiu disable JavaScript the whole internet will break" (again, not disappointed)

    And, of course, they're missing the point. Microsoft isn't attempting to mitigate every flaw in JavaScript. They, along with the majority of the world, have accepted that considerably more than 99% of users aren't going to do that because they want to use the full functionality of the web or are completely unaware/unbothered by the additional security risk of JavaScript.

    Instead Microsoft are basically targetting the folks who might hit the "secure" button if one is provided and seems to provide an acceptable level of functionality to them. I don't doubt that their marketing people are also getting all sweaty-handed about the notion of using the slogan "The most secure browsing experience" if they have the slightest excuse to use it.

    1. HildyJ Silver badge
      Boffin

      Re: Many missing the point

      You're absolutely right.

      The average user wants his shiny web and isn't going to turn off something that spoils it. I would guess that part of the experiment is to see if users even notice that Javascript elements are not being compiled just-in-time. I suspect not.

      Unless it goes Total Infrastructure Trainwreck Subverting Usability Performance, I wouldn't be surprised to see if switched on by default.

    2. Flocke Kroes Silver badge

      Re: missing the point

      more than 99% of users aren't going to do that because they want to use the full functionality of the web

      Not sure you have found the right 99%. How about:

      A) 99% of users do not know disabling javascript is still possible.

      B) 99% of users do not know how much better many sites work with javascript disabled.

      C) 99% of users do not know when a site shows an almost blank page with "javascript required" there will often be other sites that are more useful and work fine without javascript.

      I am fairly sure I still have is wrong:

      A) 99% of users do not know how to bookmark a link, use a web search instead and arrive at a scam/scalper site half the time.

      B) 99% of users do not know that it is possible to configure a browser at all let alone why they would want to.

      C) 99% of users do not know how to change the default browser and end up with the one provided by the most dishonest ad-seller. (dishonest can apply to ad or seller)

      I am glad Microsoft have taken half a step towards sanity. I am glad a few of the 99% will still get some option to configure their browser towards security without making the all effort that the other 1% need to make.

    3. ecofeco Silver badge

      Re: Many missing the point

      The whole point is why is JS even necessary to make a website?

      Hint: it isn't.

  5. sreynolds Bronze badge

    Maybe they shouldn't wonder so loudly...

    Sometimes its best to talk things out with a trusted friend before posting on a blog.

    1. amanfromMars 1 Silver badge

      Re: Maybe they shouldn't wonder so loudly... on Special Deliveries

      Sometimes its best to talk things out with a trusted friend before posting on a blog.

      Always is it best to talk things out with trusted friends on/in a blog before posting into blogs.

      Words Create, Command and Control and Destroy Worlds. Share Strings of Them Wisely is Perfect Advice.

      Something for the Weekend? .....Is Boris Prepared for Quantum Leaping into VAIOSystems? ARMed Virtually Advanced IntelAIgent Operating Systems.

      A Complex Question to Satisfyingly Answer in Deed, indeed. :-) ...... in Order to be Fully Deserved of ITs Immaculate Aided Prizes/COSMIC* Surprises.

      COSMIC* .. Control Of Secret Materiel in an Internetional Command

      That's a colossal leap to make, Boris, .... but it is expected of you. Was there ever more Comfort Afforded by such Information for Future IntelAIgents.

      Open Heavens Doors and All Paths from Almighty Destinations for Retracing Again Back Unto Source of Journey Supply Stretch Out before One and All.

      You can think of that as one vast level virgin playing field where Global Operating Devices Mine and Mind Source of Future Supply for Supply of Future Source with Great Game Theatres of Remote Virtual Operation to Visit and Enjoy ...... Prime Ministerially Present for Universal Display.

      Hmmm? I wonder what the Don, Dominic Cummings would propose to suggest be done pdq? Jump and be done with it, would be wise ... given the guaranteed result.

      Now whether UKGBNI Secret Intelligence Services Provide All Vital Linker Services for Live Future Applications is something yet to be established here about there, but where there's a Will there's a Way via Ye Olde Sterling Stirling Stalwart Service Exercising and Exalting Royal Prerogative Terrained Territories.

      And that's as much as needs to be said for now, and quite a great deal more than was expected to be planned and shared here no more than a hour ago. :-) Crikey. I've only gone and given myself too a heck of a lot to be thinking about doing. :-) How brilliant is that. To assemble all the bones of a Future Being.

      1. amanfromMars 1 Silver badge

        Re: Maybe they shouldn't wonder so loudly... on Special Deliveries

        And the just-wait-and-see-if-anything-novel-and-totally-unexpected-happens model of systems administrations security is catastrophically vulnerable to the 0day exploitations and exports of the-future-shape-of-intelligently-designed-things-to-come virtual machine which does not need nor feed dead wood input/established failing program output.

        Failure to realise and make provision for that change of smarter driver emphasis, and especially so whenever the change is not an unshared top secret, surely has one having to accept, as unpleasant and inconvenient as it may be, that a lack of shared future intelligence has extraordinarily rendered one as practically ignorant prey to what is in stores to bring ........ and such is the endemic condition of the common systemic human failing.

        And to deny it is a futile act of hubris in support of the blissfully delusional .... and quite worthy of the certifiably insane in extremis.

      2. amanfromMars 1 Silver badge

        Re: Maybe they shouldn't wonder so loudly... on Special Deliveries

        Hmmm? Seems like Special Deliveries have a Foreign Fan Deeply Embedded in the Wacky Wild West ............ Pentagon believes AI can predict world events.

        Impertinent perfect common sense would dictate that rapid guaranteed mutually advantageous otherworldly progress is assured if there be the likes of JOINT* Friendly Competition in Operational Fields of Endeavour and Reward.

        However, and it is to be gravely regarded, it is both a catastrophic intelligence and leadership failure to suggest there be any ACTive JOINT Enterprise Opposition ..... for such only quickly results in the Worthy Demise of the Prime Targeted Drivers of a Worthless Novel Enemy. I Kid U Not.

        * ..... Joint Operations Internetworking Novel Technologies

  6. bellcore

    Cunning like a fox

    You can already do this in Firefox. Just go to about:config and disable javascript.options.baselinejit

    1. HildyJ Silver badge
      Happy

      Re: Cunning like a fox

      Many thanks. I wasn't familiar with that option.

    2. CrackedNoggin

      Re: Cunning like a fox

      Not much help if you can't enable it per site.

      For my selfish usage patterns, at least.

  7. Anonymous Coward
    Anonymous Coward

    Every time a story like this gets published The Reg readers comment in their droves about turning off Javascript. You boring bastards.

    1. Graham Dawson Silver badge
      Coat

      The only reason I haven't joined in yet is because I'm trying to figure out how to work in a complaint about systemd and IR35.

      1. Def Silver badge
        Joke

        I'm pretty sure I read somewhere that future versions of systemd will be written in Javascript to improve cross platform support. Or something.

      2. Strahd Ivarius Silver badge
        Trollface

        You'll need to have Javascript enabled to do that

      3. IGotOut Silver badge

        I've some SaaSBlockchainAILowCodeMachinLearning SoftwareDefined kit you can HaaS.

      4. Lil Endian
        Joke

        Graham, that's totally off-topic!!!

        Since you brought it up though:

        - Javascript suuuucks - use NoScript!

        - IR35 blows!

        - systemd sucks and blows at the same time - sysv forevaaaah!

        (Thanks for setting that up! lol)

        Seriously though, I was trying to do my tax returns with that accursed IR35 overhead, but couldn't cos Javascript was disabled by NoScript. I tried to enable JS for the site, but systemd wouldn't recognise the command "systemctl enable javascript" which is rubbish! I knoooow sysv could eeeaasily do that!!!

    2. ecofeco Silver badge

      Because it bears repeating. JS is unnecessary cruft. It's bloat. It's just more crap hogging bandwidth.

      Modern website design trends are utter shit.

  8. Anonymous Coward
    Anonymous Coward

    Marketing will love this

    Google will post speed and battery life comparisons in their next advert, I guess…

  9. A-nonCoward
    Facepalm

    obviously, NoScript, doh

    And yes indeedy, way too many badly coded websites everywhere, which, if I *must* access, after the due dance with kittens above my head, I open Chrome and use that. JavaScript is a crutch, y'all scripkiddies everywhere, here, I said it. IMHO not better than Flash, as to adding value. Seldom, or ever, in any of the websites that I need, does it really improve usability, way to the contrary. Gaming? sure. Other addiction-inducing web content? why not! Standard informative, education, business sites, especially banking, glad when it's obvious that a good coder was involved and kept the pox away.

    Using Edge without JS? anyone who has a bit of choice and has the very basic savvy will not use Edge, to gebin with. 2) those who still use Edge probably are the kind of people that use sites like Pinterest, which will not run without JS, so this block is a non-starter. I am starting to feel that this whole announcement is sort of a troll.

    OTOH, for my work, sometime I must include JS, because I must. Makes for mixed feelings about it...

    1. Anonymous Coward
      Anonymous Coward

      Re: obviously, NoScript, doh

      But the article topic is not no-JS, it is disabling JS-JIT, on a per site basis, a different matter.

      For a site like "The Register", there is no need for JS-JIT. Same for nearly any almost static site. That includes banking sites.

  10. Anonymous Coward
    Anonymous Coward

    vscode in Electon

    I bet disabling JIT for Microsoft's vscode, which runs in Electon (a branch of the Chromium browser designed to be a dedicated app), and comes in a snap package on Ubuntu, would make it unusable.

    Interestingly, snap packages have the builtin ability to have a "sandbox" flag set on installation. This should keep the root file system safe (but not the user file system, I think).

    Unfortunately, if the sandbox flag is set for the vscode code snap package, vscode won't work :(

  11. Anonymous Coward
    Anonymous Coward

    -- What is JIT and why is useful?

    A layman explanation: https://blog.bitsrc.io/the-jit-in-javascript-just-in-time-compiler-798b66e44143 . Basically, it detects which parts of the javascript are being run repeatedly, and creates on-the-fly compiled versions of that code. There are two levels of optimzation available depending on how much the code is run: "warm" and "hot".

    -- Why is JIT vulnerable?

    An experts explanation in a industry paper: https://www.ndss-symposium.org/wp-content/uploads/2020/02/24262.pdf

    > Data-only attacks against dynamic scripting envi-

    ronments have become common. Web browsers and other mod-

    ern applications embed scripting engines to support interactive

    content. The scripting engines optimize performance via just-in-

    time compilation. Since applications are increasingly hardened

    against code-reuse attacks, adversaries are looking to achieve

    code execution or elevate privileges by corrupting sensitive data

    like the intermediate representation of optimizing JIT compilers.

    This has inspired numerous defenses for just-in-time compilers.

    > Our paper demonstrates that securing JIT compilation is not

    sufficient. First, we present a proof-of-concept data-only attack

    against a recent version of Mozilla’s SpiderMonkey JIT in which

    the attacker only corrupts heap objects to successfully issue a

    system call from within bytecode execution at run time. Previous

    work assumed that bytecode execution is safe by construction

    since interpreters only allow a narrow set of benign instructions

    and bytecode is always checked for validity before execution.

    We show that this does not prevent malicious code execution in

    practice.

  12. Anonymous Coward
    Anonymous Coward

    Javscript?

    Never have to worry about that in Lynx, can just browse right over it.

    Are you sure you want to quit?

    Excellent!

  13. EricB123 Bronze badge

    Super Duper Smart Bomb

    As per a Trump statement of some sort of "top secret" weapon the USA was working on.

    My God, it's getting contagious!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022