Microsoft Edge's Enhanced Security Mode was designed as the ultimate defense when browsing unfamiliar websites. By disabling JIT compilation and forcing all WebAssembly code through an interpreter called DrumBrake, Microsoft promised protection against the most common classes of browser exploitation. The irony? This security feature became a massive attack surface itself.
Over the past year of continuous research, we discovered and reported 23 remote code execution vulnerabilities in DrumBrake, completely defeating every security guarantee that Enhanced Security Mode promises. Our findings span multiple vulnerability classes: type confusion bugs arising from incorrect WebAssembly GC reference handling, out-of-bounds memory access due to flawed reference stack index calculations, use-after-free conditions caused by missing garbage collection write barriers, and critical control flow errors where the interpreter simply forgot to stop executing.
This talk provides a comprehensive technical deep-dive into DrumBrake's architecture, our systematic vulnerability hunting methodology, and complete exploitation chains that transform subtle interpreter bugs into arbitrary code execution. We will demonstrate how a single overlooked function call, how a duplicated index calculation, and how an incorrect calling sequence each independently led to full browser compromise. All 23 vulnerabilities have been patched by Microsoft, and this research earned recognition in Microsoft's security researcher acknowledgements for nearly a year straight.
www.offensivecon.org
