Microsoft is updating its Edge browser so that it will stop loading saved passwords in clear text into process memory when it starts up, after having previously claimed this behavior was intentional. On May 4, security researcher Tom Jøran Sønstebyseter Rønning revealed that Microsoft Edge’s built-in password manager decrypts all stored credentials at launch and keeps them in memory even when they are not being used. Rønning also published a proof-of-concept (PoC) tool that lets attackers with Administrator rights extract passwords from other users’ Edge processes (without admin rights, the tool can only target Edge processes running under the same user account). He reported the issue to Microsoft, which responded that the behavior is “by design.” Rønning noted that Edge is the only Chromium-based browser he tested that behaves this way. By contrast, Chrome employs a design that makes it significantly more difficult for attackers to steal saved passwords simply by scanning process memory, the researcher noted. Although Microsoft initially dismissed the issue, telling BleepingComputer that “this is an expected feature of the application,” the company announced on Wednesday that future versions of Edge will stop loading saved passwords into memory at startup. This decision comes even though the reported scenario falls within the existing expected threat model, which does not account for attacks where the adversary already has administrative control of the device.
“This defense-in-depth improvement will be implemented across all supported versions of Edge — Stable, Beta, Dev, Canary, and the Extended Stable channel used by our enterprise customers — and we are prioritizing the rollout,” said Microsoft Edge Security Lead Gareth Evans.
“Guided by our commitment to the Secure Future Initiative and by customer feedback, we are taking a broader perspective.” This involves evaluating not just whether something qualifies as a security issue, but also identifying opportunities to minimize risk through layered, defense-in-depth enhancements. In this scenario, limiting how long passwords remain accessible in memory represents a practical measure toward that goal. The fix is now available in the Edge Canary channel and will be rolled out in the upcoming update for all supported Edge versions (build 148 and later). Last year, Microsoft rolled out a new Edge security capability to safeguard users from malicious extensions that are sideloaded into the browser, while also limiting access to Edge’s Internet Explorer mode after attackers started exploiting zero-day vulnerabilities in the Chakra JavaScript engine to compromise target systems. Automated penetration testing tools provide genuine benefits, yet they were designed to address a single question: can an attacker traverse the network? This guide isn’t about checking if your security controls stop threats, if your detection rules trigger, or if your cloud settings are solid. Instead, it focuses on the 6 key areas you truly need to test and validate. Download now.
BleepingComputer