Overview
- Microsoft said Edge will no longer load saved passwords into memory at startup, with the fix live in Canary and rolling out to all channels starting with build 148.
- This marks a reversal of Microsoft’s earlier position that the behavior was “by design” under its stated threat model.
- Researcher Tom Jøran Sønstebyseter Rønning found the browser decrypted every stored password at launch and kept them in process memory even when not used.
- He published a proof-of-concept that showed local attackers could dump Edge process memory to harvest credentials, with broader access for users with Administrator rights.
- The update reduces risk for shared Windows setups such as terminal servers and virtual desktops and brings Edge closer to Chrome’s practice of decrypting passwords only when requested.