Microsoft Edge Security Update 103, Google Chrome, Windows 10, 11

Microsoft Edge Security Update 103, Google Chrome, Windows 10, 11

Microsoft has confirmed the latest security update for the Edge web browser, but does not agree with the industry standard CVSS severity ratings applied to some vulnerabilities.

Microsoft Edge recently overtook Apple Safari to become the second most used web browser on the planet, with more than 150 million users. Google’s Chrome browser is way ahead with over three billion users. Both, however, are based on the same Chromium engine under the hood. So when Google releases a Chrome security update to fix multiple highly rated and critical vulnerabilities, Microsoft will inevitably do the same within a few days. This month, Google fixed a total of 14 such security issues, while 48 hours later, Microsoft began rolling out an update that fixed 10 of the vulnerabilities that also affected Edge users. This might lead you to conclude that Edge has, at least this month, proven to be somehow “more secure” than Chrome.

MORE FROM FORBESNew critical security update for millions of Windows 10, 11 and server users

But hold fast, technology, and especially when it comes to security, is rarely that clear cut. In total, Microsoft issued a fix for 12 vulnerabilities, two of which are Edge-specific and received a high rating from the Common Vulnerability Scoring System (CVSS). Microsoft, however, downplays the severity of these security issues that could, if successfully exploited, lead an attacker to exploit malicious code outside of the Edge security sandbox. So what is going on here?

Not all security vulnerabilities are created equal

That a vulnerability scoring system exists is evidence, in case you needed one, that not all security issues are created equal. Well, certainly not in regards to the risks they pose to your systems and data. Many organizations use these CVSS ratings to help inform their system’s patch prioritization, though it is by no means the only metric. However, when the vendor releasing the patch downplays that official rating, this could serve to further muddy the waters. In the case of the Edge version 103.0.1264.37 update that began rolling out on June 23, Microsoft has done exactly that for the two Edge-specific sandbox escape and elevation of privilege vulnerabilities: CVE-2022-30192 and CVE-2022-33638.

Microsoft’s severity ratings rationale ties to Edge bounty program

If you follow those CVE links to Microsoft’s security update guide, both entries are rated “moderate” by the vendor, rather than the CVSS rating of high severity. Microsoft claims that this downgrade is due to “the amount of user interaction or preconditions required to allow this type of exploitation.” It goes on to add that, “if an error requires more than a click, a key press, or multiple preconditions, the severity will be reduced.” I’m sorry, but that feels like a great escape to me. Seriously, more than a click? Two clicks and your system is compromised, your data is toast, don’t they deserve a high severity rating? The reasoning given relates to the Microsoft Edge Bounty Program which rewards security researchers based on the severity of the vulnerability they discover.

I am absolutely certain that the decision is not influenced by the fact that a critical sandbox escape bug would bring a bounty of between $20,000 and $30,000, while a moderate one drops to only $5,000 at most and possibly as low as $30,000. 1,000. However, it would not be too surprising if others came to that conclusion.

I have contacted Microsoft for a statement on the severity rating of the vulnerabilities in Edge.

How to update Microsoft Edge browser

None of this changes the advice to update your browser as soon as possible. Consumers should not wait for the implementation to arrive in their browser in the next few days, but force the installation according to the instructions below. On the other hand, business users are advised to follow their patching strategy based on internal risk analysis.

Go to ‘Help & Feedback|About Microsoft Edge’ from the three dot menu on the top right and if an update is available it will force start the process. Once downloaded and installed, as usual, close all tabs and restart your browser. You will know if you are protected as the version number will be Edge 103.0.1264.37

Leave a Reply

Your email address will not be published.