Understanding The Attack Surface and Attack Resilience of Project Spartans New EdgeHTML Rendering Engine

by Mark Vincent Yason
Sept. 19, 2017 0 comments Black Hat belen_caty Pen Testing & Audits

EdgeHTML is the new rendering engine that will power the next generation web browser (codenamed Spartan) to be introduced in Windows 10. Because EdgeHTML will be widely deployed - from Windows 10 mobile devices to PCs, it is important that we have understanding of its attack surface and its stance against exploitation. In this presentation, I'll discuss EdgeHTML's attack surface and the different methods for enumerating it. Then, I'll describe the process of comparing EdgeHTML and MSHTML to identify and understand what had changed from the forking process, and more importantly identify new features and added internal functionalities that can contribute to its attack surface. Finally, I'll discuss the exploit mitigations in place, how they help against certain classes of vulnerabilities, and discuss known bypass techniques that are still applicable.