14 DAY TRIAL // Microsoft has released a new stable update for Microsoft Edge, the Chromium-based version of the browser that is now available not only on Windows but also on macOS.
As a side note, a Linux version is also in development, and Microsoft has recently confirmed that a preview build is projected to be released in October.
The new Microsoft Edge stable version on Windows and Mac is 85.0.564.63, so it’s just a minor update from version 85.0.564.51.
What this shows is that the browser isn’t getting any features, but new security patches, as Microsoft has shipped this update to resolve vulnerabilities not in Microsoft Edge but in the Chromium engine that powers the application.
The following vulnerabilities are resolved with the new stable update:
- CVE-2020-15960
- CVE-2020-15961
- CVE-2020-15962
- CVE-2020-15963
- CVE-2020-15964
- CVE-2020-15965
- CVE-2020-15966
CVE-2020-15966 is a vulnerability that allows an attacker to obtain sensitive information from a device using nothing more than a crafted extension.
In other words, if someone online manages to convince you to install a specific Google Chrome add-on that they specifically built to exploit the vulnerability, they could end up reading sensitive information in the browser. Since it comes with support for Google Chrome extensions and uses the Chromium engine, Microsoft Edge is exposed to the very same bug, and this is why it’s so important for everybody to install the patch as soon as possible.
“Insufficient policy enforcement in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information via a crafted Chrome Extension,” the CVE reads.
CVE-2020-15960 itself also describes an attack method that’s pretty simple, as it requires the attacker to just point a vulnerable browser to a malicious HTML page. More specifically, a hacker could send the user a link, either on messaging platforms or via emails, to point them to a compromised website hosting code that would be used to exploit the heap buffer overflow glitch in the Chrome storage component. Once the user is there and the page is loaded, the remote attacker can perform out of bounds memory access, according to the official CVE page linked above.
CVE-2020-15961 also deserves particular attention, once again because it can be exploited with a malicious extension that requires to be installed on a computer running an unpatched version of Microsoft Edge (or another Chromium browser).
“Insufficient policy validation in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension,” the CVE page reveals.
Given all of these, updating Microsoft Edge to the very latest version should be at the top of your agenda these days, especially in a corporate network.
On Windows 10, the stable version of Microsoft Edge is automatically updated via Windows Update, so the new release should already be there on your device. You can find out the version of Microsoft Edge from the settings screen of the browser.
The Chromium-based version of Microsoft Edge is now the default browser on Windows 10, as it replaced the legacy sibling earlier this year. On Windows 7 and Windows 8.1, on the other hand, it was offered via Windows Update by Microsoft, while on macOS, the browser can only be installed with a manual download. However, the Windows and Mac builds are typically updated at the same time.