Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup. This decision comes after security researcher Tom Jøran Sønstebyseter Rønning disclosed the behavior on May 4, demonstrating that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use.
Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users' Edge processes. He reported the issue to Microsoft, which initially stated that the behavior was by design. However, Microsoft has since announced that future versions of Edge will no longer load saved passwords into memory on startup.
Background on the Issue
According to Rønning, Edge is the only Chromium-based browser that behaves in this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory. Microsoft's initial response to the issue was that it was an expected feature of the application.
However, Microsoft Edge Security Lead Gareth Evans announced on Wednesday that the company is taking a broader view of security, looking not only at whether something meets the bar for a security issue but also at where exposure can be reduced through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction.
Fix and Rollout
The fix is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases (build 148 and newer). This change will come to every supported version of Edge, including Stable, Beta, Dev, Canary, and the Extended Stable channel used by enterprise customers.
Microsoft's commitment to the Secure Future Initiative and customer feedback has driven this decision. The company is prioritizing the rollout of this update to ensure that users are protected as soon as possible.
Related Security Efforts
Last year, Microsoft introduced a new Edge security feature to protect users against malicious extensions sideloaded into the web browser. The company also restricted access to Edge's Internet Explorer mode after hackers began leveraging zero-day exploits in the Chakra JavaScript engine to access target devices.
These efforts demonstrate Microsoft's ongoing commitment to improving the security of its products and protecting its users. By addressing the issue of password storage in Edge, Microsoft is taking a significant step towards reducing the risk of password exposure and protecting its users' sensitive information.
- Microsoft Edge will no longer load saved passwords into memory on startup.
- The fix is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases.
- Microsoft is prioritizing the rollout of this update to ensure that users are protected as soon as possible.
With our commitment to the Secure Future Initiative and customer feedback, we are taking a broader view. That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. - Gareth Evans, Microsoft Edge Security Lead
Source: BleepingComputer