The fact that Microsoft Edge loads all saved passwords into memory in plaintext, even when you're not using them, is what sparked this whole saga. This happened just 10 days ago, when a security researcher, Tom Jøran Sønstebyseter Rønning, went public with his findings after Microsoft told him the behavior was 'by design' and wouldn't be changed. They didn't plan to alter this behavior, which raised concerns.

And yet, in a sudden about-face, Microsoft has announced that it will indeed make changes to how Edge handles passwords. Gareth Evans, the Microsoft Edge security lead, explained that as part of Microsoft's Secure Future Initiative, the team continuously reviews how Edge handles sensitive data to reduce exposure risks. They're doing this to minimize the risk of data breaches.

But what led to this change of heart? It all started when Rønning found that Microsoft Edge loads all your saved passwords into memory in cleartext, even when you're not using them. He disclosed this publicly after Microsoft initially told him this was 'by design' and wouldn't be addressing the issue. This vulnerability, although requiring an attacker to already have admin privileges to exploit, still poses a significant risk. It's a risk that Microsoft can't ignore, and it's one that they're trying to mitigate.

Now, Microsoft has said it won't load passwords into memory on startup, aiming to minimize data exposure through defense-in-depth improvements. This update will come to every supported version of Edge, starting with version 148. The rollout is being prioritized, meaning users won't have to wait long for the fix. They'll get the update soon, and it will help to keep their data safe.

'We will no longer load passwords into memory on startup,' Evans said, acknowledging that while the risk begins after an attacker has access, there's still room to improve browser security. This update provides a practical step in that direction. It's a step that Microsoft is taking to improve the security of its browser.

So, what does this mean for you? If you're a user of the Microsoft Edge password manager, you don't have to do anything but wait for the version 148 update to reach you. Microsoft is also reviewing how it handles researcher reports, focusing on speed, clarity, and applying defense-in-depth thinking earlier. They're trying to be more responsive to researcher feedback, and they're committed to improving the security of their products.

Given the number of Microsoft security vulnerabilities that have been disclosed recently, this change is a step in the right direction. It shows that Microsoft is listening to feedback and is committed to improving the security of its products. They're taking the concerns of researchers and users seriously, and they're trying to make their products more secure.

  • Microsoft Edge previously loaded all saved passwords into memory in plaintext at startup.
  • This behavior was initially considered 'by design' by Microsoft.
  • A security researcher, Tom Jøran Sønstebyseter Rønning, publicly disclosed the vulnerability after Microsoft refused to address it.
  • Microsoft has since announced it will update Edge to stop loading passwords into memory at startup.
  • The update will come to every supported version of Edge, starting with version 148.

This change doesn't just impact Microsoft Edge users; it also sets a precedent for how tech companies should handle vulnerabilities and feedback from researchers. It's a reminder that security is an ongoing process, and even the smallest changes can make a big difference in protecting user data. Microsoft's decision to update Edge is a positive step, and it shows that they're committed to keeping their users' data safe.