With Edge inheriting one-quarter of Internet Explorer's flaws, is it any more secure?

The software giant is pushing users away from old versions of Internet Explorer. But how secure, based on vulnerabilities, is Windows 10's new browser?

(Image: CNET/CBS Interactive)

Microsoft Edge, the company's new browser, has more in common with Internet Explorer than you might think -- especially when it comes to security flaws.

An analysis of the last five-months' worth of monthly software updates shows that

Edge had 25 vulnerabilities

shared with versions of Internet Explorer, which had a total of 100 vulnerabilities.

ed bott

Who's still using Internet Explorer? And why won't they upgrade?

For a surprisingly high number of laggards, it's time to upgrade or face a world of hurt.

Read More

Earlier this month on its scheduled Patch Tuesday update offering, Microsoft released MS15-124, a cumulative update for Internet Explorer, and MS15-125, a near-identical patch for Edge. Of the 15 flaws patched in Internet Explorer, 11 of those were also patched in Edge.

Four additional bugs in December's monthly update list were unique to Edge, and did not affect Internet Explorer.

December saw the highest number of patched vulnerabilities since Edge was released in Windows 10 earlier this year.

With a quarter of all IE bugs affecting Edge, at least one commentator questioned if Edge was

built on a "rotten old foundation."

Given that the number of vulnerabilities found in Edge is far below Internet Explorer, it's reasonable to say Edge looks like a more secure browser. But is Edge really more secure than Internet Explorer?

According to a Microsoft blog post earlier this year, the software giant's newest browser, an exclusive for Windows 10, is said to have been designed to "defend users from increasingly sophisticated and prevalent attacks."

In doing that, Edge scrapped older, insecure, or flawed plugins or frameworks, like ActiveX or Browser Helper Objects. That already helped to cut a number of possible drive-by attacks traditionally used by attackers. EdgeHTML, which powers Edge's rendering engine, is a fork of Trident, which still powers Internet Explorer.

However, it's not clear how much of Edge's code is still based off old Internet Explorer code.

When asked, Microsoft did not give much away. In a statement that we snipped for clarity, a spokesperson said:

"Edge shares a universal code base across all form factors without the legacy add-on architecture of Internet Explorer. Designed from scratch, Microsoft does selectively share some code between Edge and Internet Explorer, where it makes sense to do so."

Tyler Reguly, manager of security research and development at security firm Tripwire, explained in an email that overlapping libraries are where you get vulnerabilities that aren't specific to either browser.

"When you're working on a project as large as a major web browser, it's highly unlikely that you would throw out all the project specific code and the underlying APIs that support it, there's bound to be overlap in these situations," he said.

In patches we trust: Why software updates have to get better

All too often, security patches are breaking the devices they set out to protect,

Read More

"There are a lot of APIs that the web browser will use that will still be common between the browsers. If you load Microsoft Edge and Internet Explorer on a system, you will notice that both of them load a number of overlapping DLLs," he said.

Dan Caselden, manager of research science at FireEye, said if the same bug is patched between the two browsers, it's typically because of shared code.

"A few here and there could be because of the same error introduced into two different implementations -- such as a design level flaw," said Caselden, "but I'd wager that occurs infrequently."

The big question is how much of that Internet Explorer code remains in Edge, and crucially, if any of that code has any connection to the overlap of flaws found in both browsers that poses a risk to Edge users.

The bottom line is that it's hard, if not impossible to say if browsers are more or less secure than another.

A "critical" patch, which fixes the most severe of vulnerabilities, is a moving scale, has to consider the details of the flaw, as well as if it's being exploited by attackers. With an unpredictable number of flaws found each month coupled with their severity ratings, a browser's security worth can vary month by month.

Older versions of Internet Explorer will be retired by mid-January, giving millions of users about a month to upgrade to Internet Explorer 11, or to Edge on Windows 10.