Microsoft pulls u-turn on Edge password security issue.SOPA Images/LightRocket via Getty ImagesMicrosoft has now confirmed that a “defense-in-depth change will come to every supported version of Edge” after initially refusing to address a password vulnerability identified for users of the web browser password manager. When I first reported that a researcher had publicly disclosed the security vulnerability, whereby all saved passwords were loaded into memory, in plaintext, at startup, Microsoft said that this happened “by design” and the behavior fell “within the expected threat model.” That was 10 days ago. Now, Microsoft has said that it will “no longer load passwords into memory on startup,” and starting with version 148 and “every supported version of Edge” will get the update, the rollout of which is now being prioritized.ForbesMy Password Has Been Stolen—What Happens Next?By Davey WinderThe Microsoft Edge Saved Passwords Vulnerability ExplainedA security researcher went public at the start of May after Microsoft told him that the password security vulnerability he had found in the Edge browser was by design, and therefore would not be moving forward with his vulnerability report or making any changes to rectify. “Microsoft Edge loads all your saved passwords into memory in cleartext,” Tom Jøran Sønstebyseter Rønning said, “even when you’re not using them.” I mean, if leaving decrypted plaintext passwords in Edge process memory after startup, regardless of whether they are used during that session, isn’t a security vulnerability, then, frankly, I’m not sure what is. Sure, an attacker would need to already have admin privileges to exploit it, but it remains a vulnerability regardless, in my never humble opinion. Regardless of whether it has an official Common Vulnerabilities and Exposures designation or not. Especially as none of the other Chromium-based web browsers tested displayed the same memory-saving issue according to Rønning.ForbesMicrosoft Windows 11 Exploited 3 Times In 24 Hours By Zero-Day HackersBy Davey WinderWhy Microsoft Is Making An Edge Password Security U-TurnGareth Evans, the Microsoft Edge security lead, has now posted a detailed explanation of the changes that are being made to how passwords are saved in Edge memory, and why those changes are being made.MORE FOR YOUAs part of Microsoft’s Secure Future Initiative, Evans said, the security team continuously reviews how Edge handles sensitive data in order to reduce the risk of any exposure. While maintaining that, as the risk begins after an attacker has access, the so-called vulnerability remains within the expected threat model, Evans admitted that there is still room to improve the browser security. “We will no longer load passwords into memory on startup,” Evans said, but in an effort to minimize data exposure through defense-in-depth improvements, the update provides “a practical step in that direction.”Which sounds like a U-turn to me, and likely to you as well.ForbesMicrosoft Windows 11 Exploited 3 Times In 24 Hours By Zero-Day HackersBy Davey WinderThe good news is that users of the Microsoft Edge password manager need to do nothing but wait for the version 148 update to reach them. Meanwhile, Evans confirmed that Microsoft is “reviewing how we handle researcher reports, with a focus on speed, clarity, and applying defense-in-depth thinking earlier.” I‘d like to think that is a success for both common security sense and media reporting pressure. And given the number of Microsoft security vulnerabilities that have been dropped recently, that has to be a good thing.