Microsoft has announced a significant security improvement in its Edge browser, eliminating the practice of loading saved passwords into process memory at startup.
The change comes as part of the company’s broader Secure Future Initiative (SFI), which aims to strengthen defense-in-depth protections across its products.
The update follows a public disclosure by security researcher Tom Jøran Sønstebyseter Rønning, who found that Microsoft Edge loaded stored passwords into memory in clear text during browser startup.
While Microsoft acknowledged the finding, it clarified that the behavior aligned with its existing threat model and did not introduce a new security vulnerability.
According to Microsoft, the reported scenario assumes that an attacker already has control over the victim’s device.
In such cases, where malicious code can execute locally with elevated privileges, browsers and other applications are generally unable to prevent credential access.
Edge Stops Password Memory
This limitation is consistent across all modern browsers and is considered outside the scope of standard browser threat models.
Despite this, Microsoft emphasized that reducing unnecessary exposure of sensitive data remains a priority.
As a result, the company has implemented a defense-in-depth improvement to prevent passwords from being loaded into memory during startup.
“This change is a proactive step to minimize potential attack surfaces, even in scenarios that fall outside our defined security boundaries,” Microsoft stated.
The fix has already been deployed in Edge Canary builds and will be rolled out across all supported versions, including Stable, Beta, Dev, and Extended Stable channels.
The Microsoft Edge 148 update arrives automatically with no user action required.
Microsoft reassured users that there is no new exposure or increased risk associated with the previously reported behavior.
The company reiterated that access to in-memory credentials would only be possible if an attacker had already compromised the system at an advanced stage of intrusion beyond typical browser-level protections.
In addition to this change, Microsoft highlighted its continued investment in layered security mechanisms.
These include sandboxing technologies, renderer isolation, and proactive defenses such as the Scareware Blocker, which helps protect users from malicious websites.
The company also acknowledged the importance of the security research community. It indicated that it is reviewing its internal processes for handling vulnerability reports.
Microsoft plans to improve response speed, communication clarity, and the integration of defense-in-depth considerations earlier in the evaluation process.
This move reflects a broader industry trend toward hardening software against complex, multi-stage attacks.
By limiting how and when sensitive data, such as passwords, is exposed in memory, Microsoft Edge aims to reduce the risk of credential theft, even in edge-case scenarios.
