The Microsoft Browser Vulnerability Research team is experimenting with a new mode that significantly reduces the attack surface a modern web browser such as Microsoft Edge presents to the hacker world. Thus, "Super Duper Secure Mode" (SDSM) is now available for Edge preview testers -- in the Canary, Dev and Beta rings to try out. In brief, SDSM does its magic by disabling JIT Javascript acceleration, and a sprinkling of other "new security mitigations" to significantly fortify Microsoft's signature browser.
Microsoft's researchers have fathomed that modern JIT techniques (designed to speed up JavaScript engines from the likes of Google, Mozilla, Microsoft, and others), are a major source of CVEs (Common Vulnerabilities and Exposures). According to their investigations, 45 per cent of browser CVEs are related to JIT Java.
So, you can disable JIT to get a more secure browser, but what about the impact on performance? Microsoft noticed that the only major speedbump for its JIT disabled browser was in benchmarks like Speedometer 2.0. In reviewing anecdotal experiences, Microsoft found that "users with JIT disabled rarely notice a difference in their daily browsing." Perhaps more importantly, in various tests of browser performance like memory use, page load and startup times, and power usage the picture was mostly positive. The worst stats seem to be with the potential of a ~17 per cent slowdown in complex page load times. However, depending on the content, page loads might be nearly 10 per cent faster.
Admittedly the balance of positives and negatives is quite complex, so Microsoft is testing this now, as are Insiders in the aforementioned programs. There are some further side-benefits to disabling Java JIT. The devs reveal that mitigation technologies such as Controlflow-Enforcement Technology (CET) from Intel, and Arbitrary Code Guard (ACG) couldn't play nicely with JIT enabled – but without it, they can be toggled on to "make exploitation of security bugs in any renderer process component more difficult".
SDSM is definitely still at an experimental stage, but shows encouraging signs. Microsoft is typically rather proud of the speed and responsiveness of Edge, so it will probably try and offer the best of both worlds with this new SDSM implemented, alongside optimizations to reduce/eliminate any JIT disabling impacts. Remember that security seems to be a renewed focus of the company with its Windows 11 minimum requirements.