Maksim Kabakou - Fotolia

Microsoft Edge security updates target Windows 10 web-based attacks

Microsoft will improve Edge browser security to ward off cross-site scripting and content-injection web-based attacks. Content Security Policy Level 2 support is coming in April.

Microsoft Edge security improvements aim to protect Windows 10 shops against web-based attacks.

The biggest security vulnerability IT professionals worry about is the activity of their users. A growing concern is users visiting compromised websites or clicking links that attempt to download and install malicious content onto their PCs. The Windows 10 Creators Update will bring to the Edge browser support for Content Security Policy Level 2 (CSP2), a tool developers use to ward off web-based attacks.

"The risk is growing," said Dominic Namnath, CIO at Tri-Counties Regional Center, a nonprofit in Santa Barbara, Calif., that supports Windows 10. "The website vulnerability and user vulnerability is being exploited, so any protection helps. The user is our weakest link."

One example of a web-based attack is content injection, in which hackers replace or infect legitimate content on a trusted website with malicious content. Cross-site scripting attacks are similar, but involve web applications.

CSP2 prevents against these attacks, allowing browsers to approve the contents of a website before it loads. CSP2 places values called nonces throughout the code of a webpage, which act as tokens for the browser to approve. If a page's content has the embedded tokens, then it will load in the browser. If it doesn't, the browser will treat it as compromised and not load it.

With this Microsoft Edge security capability, the browser can protect users who are under threat from these attacks without them even knowing it. 

"Nine out of 10 times, breaches are caused by internal users doing something," said Doug Grosfield, president and CEO of Five Nines IT Solutions, an IT consultancy in Kitchener, Ont. "Most of the interaction with resources outside of your network is through a browser, so it's important for Microsoft to build upon browser security."

Layered protection key as threats rise

Nine out of 10 times, breaches are caused by internal users doing something.
Doug Grosfieldpresident and CEO of Five Nines IT Solutions

Web-based attacks are getting more serious, sophisticated and tougher to avoid. It's important for vendors to build protections into their browsers, because not every organization or end user invests in the right security software themselves, said Robby Hill, founder and CEO of HillSouth, a Microsoft partner in Florence, S.C.

"Whether it's for email or web browsing, it's important to make what [employees] use more trusted," Hill said.

Zeus Kerravala, founder and principal analyst at ZK Research in Westminster, Mass., agreed.

"From a Microsoft perspective, given that they are trying to make Edge the corporate browser of choice, building these protections is certainly the right thing to do," he said. "IT people need to realize that even the most naive person in the company has a browser and email."

IT can do its part by taking a layered approach to security, Grosfield said.

"Don't put your eggs in one basket," he said. "You need to have the right patches in place, use perimeter and endpoint security protections and implement the right polices."

The new version of Edge, with CSP2 support, is available now as a preview to members of the Windows Insider Ring - Fast program. It will be generally available through the Windows 10 Creators Update in April.

Next Steps

Top five overlooked Windows 10 security risks

How to make Windows 10 run smoothly

The ultimate Windows 10 guide

Dig Deeper on Windows 10