THE TIBERIUM BLOG - recent events, threats, and all things cyber

Jitterbug

This week we are starting out with something unapologetically geeky, which shows a fresh attitude to platform development at Microsoft and if you are anything like us, has the capability of sending you down a rabbit hole for an afternoon at least. 

This week Jonathan Norman, the vulnerability research lead for Microsoft Edge (we are still gruntled about the demise of Internet Explorer) posted that Microsoft is considering removing the JavaScript Just In Time compiler from MS Edge. 

For those of you who are not familiar with JIT compilation or ‘speculative optimisation’ as it is sometimes called, Jit compilers were introduced into browsers around 2007-2009 (depending on how long ago you can remember or who you ask)  and were designed to optimise and accelerate in browser activity, making things like animation, games and the rest doable on machines of that time. 

Using very complex processing flows, JIT compilers turn JavaScript (which is loosely typed and often poorly written) into machine code just before it is needed. JIT technology is now so good that it accelerates JavaScript performance to that of coupled C++ code. 

This all sounds great, but this acceleration is so complex that very few people on the planet understand it or want to understand it, and that complexity often comes at the cost of security

Microsoft claims that over 40% of CVE’s raised against Edge are related to JIT, and that is no longer acceptable. 

Enter stage right the nattily named new security mode for Edge: ‘Super Duper Secure Mode’. It is not April the first, we are not joking: ’Super Duper Secure Mode’. Will the programmer last to leave please tidy the crayons away. 

Super Duper mode currently disables JIT, which is not really necessary on today’s faster processors, but almost certainly makes a difference on smaller devices, like err phones. New features are also becoming available that make changes deep under the hood promising a more secure browsing experience. 

Duper Scooper mode is already within Edge. Take a look at the dark arts by typing ‘edge://flags/#edge-enable-super-duper-secure-mode’ into your edge browser then wait for your eyes to cross and you begin to feel a little bit inferior with a major dose of imposter syndrome. 

In researching this, we came across a number of scholarly articles on the methodologies and techniques for attacking JIT compilers, and that, dear readers, was the entrance to the rabbit hole.  

If you are interested in the subject, have some time on your hands and some painkillers or a shotgun by your side, we would point you in the direction of this piece by NCC which illustrates (if you don’t understand anything else) just how complicated things we take for granted can be and how they can be used by people who do understand them for nefarious porpoises. Enjoy

OK. Back in the land of normal mortals, this week the wonderful NCSC reiterated its point, which has been recommended for five years, that a password made up of three random words is, in fact, more secure than randomly generated or human-generated complex passwords because the latter lead to writing passwords down, simplifying the password to a variation of something the user knows but passes the complexity test, etc.  

In order to prove its point the NCSC has released this post which is something we very much support, you may well have seen a Linkedin post from our Chief this week. 

Tiberium provides managed security services (FROST and MYTHIC) which of course we would love to show you. With automated deployment, best practice configuration at deployment time and automated response and collaboration using Microsoft Teams, we believe our services are the best available. We are also very passionate and know a little bit about most aspects of security. Something we can back up with years and years and years of experience.   

Frost and Mythic
FROST & MYTHIC

We would very much like to talk to you, so please contact us for a good old chinwag. 

Now the song. Jitterbug isn’t a song, it is a term for swing dancing. It is however the first four words of Wham’s fantastic Wake Me Up Before You Go-Go.  

Everything will be alright. 

Blog subscription banner
Share on: