Microsoft Edge: No more plain text passwords in browser process
Microsoft's Edge loaded all passwords from the password manager on startup and kept them in plain text. But not anymore.
(Image: Dirk Knop / heise medien)
Two weeks ago, it made waves that Microsoft's web browser Edge loads all passwords from the password manager on startup and keeps them in plain text in process memory. The developers have reacted to the media reports; updated browser versions no longer do this.
In the update notes for Microsoft Edge for Friday's update, the developers stated that they have resolved the issue. They write that they have made changes to the password manager. These are intended to ensure that passwords are no longer loaded into memory when the browser starts. A blog post provides further information. First, the programmers explain that Edge's behavior previously fit the expected threat model based on existing criteria. The risk arises from an attacker having already compromised the device. Nevertheless, they see potential for improvement.
As a first measure, Microsoft Edge now no longer loads passwords into memory on startup. The update is being distributed with prioritization for Microsoft Edge version 148 and newer. Anyone using the Edge password manager doesn't need to do anything further; the change should arrive through the regular update channel.
Handling of error messages not so great
The developers also write that they are taking a closer look at how such error reports are handled. The initial reaction to the error report from Tom Jøran Sønstebyseter Rønning was based on specific criteria for the Chromium project. This should be understood as a baseline, but Microsoft wants to set the bar higher for itself. The process for handling error reports from IT researchers will be reviewed again. The developers want to focus on speed, clarity, and a defense-in-depth approach and start with it earlier.
Videos by heise
About two weeks ago, we were able to easily reproduce the problem. An account newly created in Microsoft's password manager led to the password being found in plain text in the process memory dump after a browser restart. Testing with a current Microsoft Edge version, specifically 148.0.3967.70, no longer easily outputs the password after searching the process memory. Therefore, anyone using the Chrome-based Edge should ensure that the browser is up-to-date.
(dmk)
