Microsoft is rolling out a major security improvement for its Microsoft Edge browser after a researcher revealed that saved passwords were being loaded into memory in cleartext as soon as the browser launched.
The issue was publicly disclosed earlier this month by security researcher Tom Jøran Sønstebyseter Rønning, who discovered that Edge automatically loaded stored credentials into process memory during startup and kept them there for the entire browsing session. According to the findings, this happened even if users never visited a website tied to those credentials, raising concerns about how exposed password data could become on compromised systems.
The security concern mainly affects environments where attackers already have administrative access to a machine, especially terminal servers or shared enterprise systems. In those scenarios, malicious actors could potentially inspect the memory of logged-in browser processes and extract sensitive credentials stored in plain text.
Microsoft acknowledged the issue and confirmed it is implementing a defense-in-depth security enhancement designed to stop passwords from automatically loading into memory when the browser starts. The company emphasized that exploiting the issue would still require the device to already be compromised, but cybersecurity experts say minimizing credential exposure is critical as modern attacks become increasingly sophisticated.
A spokesperson for Microsoft explained that browser security involves balancing performance, usability, and protection against evolving threats. However, the company decided to prioritize the fix after the researcher’s disclosure drew attention across the cybersecurity community.
According to Gareth Evans, the update is already live in Edge Canary and will soon roll out to all supported Edge channels, including Stable, Beta, Dev, Canary, and Extended Stable releases for enterprise customers. The fix will be included in Edge build 148 and newer, allowing users to receive the protection automatically through regular browser updates.
The move comes at a time when browser security is becoming increasingly important for both consumers and businesses. Password managers built directly into browsers are widely used because of their convenience, but they also remain attractive targets for cybercriminals seeking access to login credentials, financial accounts, and corporate systems.
Cybersecurity researchers have repeatedly warned that attackers are shifting toward credential-focused attacks, including memory scraping, infostealer malware, and session hijacking. Reducing the amount of sensitive data stored in memory for long periods can help lower the risk of credential theft during a breach.
Rønning expressed surprise after Microsoft announced it would change Edge’s behavior so quickly following the disclosure. Security researchers often report vulnerabilities or risky design decisions without immediate action from software vendors, making Microsoft’s rapid response notable within the cybersecurity industry.
The update reflects a broader trend across the tech sector as companies harden products against increasingly advanced cyber threats. With AI-powered malware and automated attack tools becoming more common, browser vendors are under pressure to improve how sensitive information is stored, processed, and protected.
For everyday Edge users, no manual action is required. Once the latest browser update is installed, passwords will no longer automatically load into memory at startup, helping reduce the potential exposure of stored credentials during active sessions.