Vulnerability Discovery and Initial Response
Security researcher Tom Jøran Sønstebyseter Rønning revealed earlier this month that Microsoft Edge’s built-in password manager decrypts all saved credentials into process memory at startup, even when those passwords are not being used. The researcher demonstrated that attackers with Administrator privileges could dump these cleartext passwords from other users’ Edge processes. Without admin rights, the proof-of-concept tool could still extract passwords from Edge processes launched by the same user.
Rønning reported the issue to Microsoft and was initially told the behavior was “by design.” The researcher noted that Edge was unique among Chromium-based browsers in this regard, with Chrome employing a design that makes such extraction significantly harder.
Microsoft’s Policy Change and Fix
After initially defending the practice, Microsoft has reversed its position. The company announced that future Edge updates will prevent saved passwords from being loaded into memory on startup. While Microsoft maintains that the original scenario falls within its expected threat model (which excludes attacks where an adversary already has administrative control), the company cited its Secure Future Initiative and customer feedback as reasons for the change.
“Reducing the exposure of passwords in memory is a practical step in that direction,” said Microsoft Edge Security Lead Gareth Evans. The fix is already available in the Edge Canary channel and will roll out to all supported Edge versions (build 148 and newer), including Stable, Beta, Dev, and Extended Stable channels for enterprise customers.
Source: BleepingComputer
