Security Enhancement for Credential Handling
Microsoft has introduced a change to its Edge browser that stops saved passwords from being loaded into process memory when the application starts. This update is part of the company’s Secure Future Initiative, an effort to bolster defense in depth protections across Microsoft products. The adjustment follows a public disclosure from security researcher Tom Jøran Sønstebyseter Rønning, who observed that Edge previously loaded stored credentials in clear text during startup.
Microsoft acknowledged the researcher’s finding but noted that the behavior was consistent with its existing threat model and did not introduce a new security vulnerability. The company explained that the scenario assumed an attacker had already gained control of the victim’s device, a situation where browsers and most applications cannot fully prevent credential access.
Impact and Deployment
Microsoft described the change as a proactive defense in depth improvement designed to minimize potential attack surfaces, even for scenarios outside its defined security boundaries. The fix has already been deployed in Edge Canary builds and will roll out across all supported channels, including Stable, Beta, Dev, and Extended Stable, with the Edge 148 update arriving automatically for users.
The company emphasized that there is no new exposure or increased risk associated with the earlier behavior. Access to in memory credentials would still require an attacker to have compromised the system at an advanced stage, beyond typical browser level protections. Microsoft also highlighted its continued investment in layered security mechanisms, including sandboxing technologies, renderer isolation, and the Scareware Blocker tool.
Source: Cyber Security News
