Microsoft Edge will no longer load all saved passwords into memory in plain text when the browser starts.
The development is notable because Microsoft continues to say the existing behavior does not cross a security boundary.
However, the company is still changing how Edge handles saved passwords after the issue came to light. The update should reduce unnecessary exposure of stored credentials in memory, even in cases where the device is already compromised.
The change follows a recent disclosure by security researcher Tom Jøran Sønstebyseter Rønning, who reported that Edge decrypted stored credentials at launch and kept them in memory even when users did not need them. Microsoft said the change is already live in Edge Canary and will arrive in all supported Edge channels with build 148 and newer.
Rønning found that Edge loaded every saved password into process memory at startup.
According to the researcher, Edge appeared to be the only Chromium-based browser he tested that behaved this way. Chrome, by comparison, only decrypts and loads a specific password into memory when a user requests it.
Microsoft initially described the behavior as an expected part of the application.
The company said the issue falls within its existing threat model because an attacker would already need access to a compromised device before reading that browser data. Microsoft repeated that position in a blog post but said it still saw room to improve Edge through a defense-in-depth change.
Starting with Edge build 148 and newer, the browser will no longer load saved passwords into memory at startup.
Microsoft said the update will apply to Stable, Beta, Dev, Canary, and Extended Stable versions of Edge. The company is prioritizing the rollout, while the Canary version already includes the change.
📢 For the latest Tech & Telecom news, videos and analysis join ProPakistani's WhatsApp Group now!
Follow ProPakistani on Google News & scroll through your favourite content faster!
Shares
