Microsoft is updating the Edge web browser to stop loading saved passwords into process memory in clear text during startup [1].
This change addresses a critical vulnerability that could allow malicious software to extract sensitive user credentials directly from a computer's memory. By removing clear-text passwords from the startup process, Microsoft reduces the attack surface for credential-stealing malware on Windows platforms [1], [2].
The decision follows a disclosure by a security researcher who flagged the behavior as a significant risk [3]. The researcher said that loading passwords in this manner makes it easier for malware to loot them from the system [3].
Initially, the company did not view the practice as a security flaw. Microsoft said the behavior was not a security concern [4]. However, the company changed its stance following public backlash and further evidence regarding the potential for exploitation [3].
Edge is primarily used on Windows platforms, where memory-scraping attacks are a common vector for stealing data [2]. The update ensures that saved passwords are no longer stored in an unencrypted state in the process memory when the browser first opens [1], [2].
Microsoft did not provide a specific timeline for the rollout of this fix in the available documentation, but the development team said the approach has shifted [1].
“Microsoft is updating the Edge web browser so it no longer loads saved passwords into process memory in clear text at startup.”
This update reflects a shift in how Microsoft balances browser performance and security. While loading passwords into memory at startup may have provided a slight speed advantage for the password manager, the risk of 'memory scraping'—where malware reads the RAM to find sensitive strings—outweighed the benefit. This move aligns Edge with more stringent security standards used by other modern browsers to prevent local credential theft.
