Full Report
Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup. [...]
Analysis Summary
# Vulnerability: Microsoft Edge Cleartext Password In-Memory Exposure
## CVE Details
- **CVE ID**: N/A (Microsoft initially categorized this as "by design," though a defense-in-depth fix was later issued).
- **CVSS Score**: N/A
- **CWE**: CWE-316: Cleartext Storage of Sensitive Information in Memory
## Affected Systems
- **Products**: Microsoft Edge (all channels: Stable, Beta, Dev, Canary, and Extended Stable).
- **Versions**: All versions prior to Build 148.
- **Configurations**: Default configuration where the built-in password manager is used to save credentials.
## Vulnerability Description
Microsoft Edge was found to decrypt all saved credentials from its built-in password manager and load them into process memory in cleartext immediately upon application startup. Unlike other Chromium-based browsers (such as Chrome) which only decrypt credentials on demand, Edge maintained these secrets in memory for the duration of the process lifecycle, even when they were not actively being used for authentication. This behavior significantly increased the window of opportunity for memory-scraping attacks.
## Exploitation
- **Status**: PoC available. A dumper tool titled "EdgeSavedPasswordsDumper" has been released publicly.
- **Complexity**: Low (if the attacker has local access).
- **Attack Vector**: Local. An attacker requires the ability to read process memory on the target machine.
## Impact
- **Confidentiality**: High (Total exposure of all saved browser credentials and passwords).
- **Integrity**: None.
- **Availability**: None.
## Remediation
### Patches
- **Microsoft Edge Build 148 and newer**: This update ensures passwords are no longer loaded into memory until required.
- **Edge Canary**: The fix is currently live and validated in the Canary channel.
### Workarounds
- **Third-Party Password Managers**: Users can utilize dedicated password management software and disable the Edge built-in password manager.
- **Credential Deletion**: Clear saved passwords from the browser and disable the "Offer to save passwords" setting.
- **Process Isolation**: Ensure strict administrative controls to prevent unauthorized users from running memory-dumping utilities.
## Detection
- **Indicators of Compromise**: Presence of unauthorized memory-dumping tools (e.g., Mimikatz, specialized Edge dumper scripts) on the endpoint.
- **Detection Methods and Tools**:
- Monitor for suspicious calls to `ReadProcessMemory` targeting `msedge.exe`.
- Use EDR/AV solutions to flag the "EdgeSavedPasswordsDumper" tool or similar credentials-accessing behavior.
## References
- **Researcher Disclosure**: hxxps[://]x[.]com/L1v1ng0ffTh3L4N/status/2051308329880719730
- **PoC Repository**: hxxps[://]github[.]com/L1v1ng0ffTh3L4N/EdgeSavedPasswordsDumper
- **Vendor Advisory**: hxxps[://]microsoftedge[.]github[.]io/edgevr/posts/Saved-passwords-in-Edge-memory-what-were-changing-and-why/
- **Article Source**: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/