02-07-2020 12:28 AM
02-07-2020 12:28 AM
Microsoft advisory shows whether Edge keeps up with Chrome's patching
Microsoft has posted a security advisory that will record all updates to its new Chromium-based Edge browser, giving customers a way to monitor whether the company keeps up with Google's patching of Chrome.
"This advisory will be updated whenever Microsoft releases a version of Microsoft Edge which incorporates publicly disclosed security updates from the Chromium project," the Redmond, Wash. firm wrote on the support document.
As of mid-day Wednesday, only one listing populated the advisory. The item, dated Jan. 17, called out four CVE-identified vulnerabilities. (CVE, for "Common Vulnerabilities and Exposures," is the most-used bug-naming standard.)
The advisory also noted the Edge version number that included the patches and the corresponding version of Chromium that also quashed the bugs. Because Chrome assumes Chromium's version numbers without change - for some reason, Edge does not - the advisory was the first way that was found to link a specific version of Edge to one of Chrome.
This security advisory is supposed to list all Edge security updates. Comparing the version number of Edge to that of Chrome lets customers monitor whether Microsoft has kept up with Chromium's/Chrome's fixes.
Google released Chrome 79.0.3945.130 - the Chromium version listed in the advisory - on Jan. 16, saying here that the interim update included patches for 11 vulnerabilities. As usual, Google only identified four of the 11 by CVE. The quartet matched the four CVEs that Microsoft said were addressed in Edge.
Meanwhile, the Edge update, which Microsoft released Jan. 17 - one day after Chrome's - was marked as version 79.0.309.68.
(That's not the most current Edge; Microsoft updated the browser again on Jan. 23 to 79.0.309.71. However, there was no sign that that version patched any vulnerabilities. For a complete listing of Edge updates, users can steer to the Microsoft Update Catalog; pre-filtered the results to show only those for the Stable build of the browser.)
Edge 79.0.309.68 thus equals Chrome 79.0.3945.130.
Microsoft patched Edge just a day after Google refreshed Chrome, indicating that the former browser will not substantially lag behind the latter. If it had, attackers might have been able to use the interval to reverse engineer a patch, uncover the vulnerability and craft an exploit.
Still unknown is the size of the gap between Google promoting a new version of Chrome to the Stable branch and Microsoft following suit with Edge.
On Tuesday, Google released Chrome 80 - specifically, version 80.0.3987.87 - with new features as well as 56 security fixes. Google listed 37 of the 56 with CVE identifiers. Ten of the 37 were marked "High," the second-most-serious ranking in Chrome's four-step rating system.
As of 2 p.m. ET Wednesday, Microsoft had not updated Edge to reflect the Chrome's shift to version 80.
02-07-2020 02:32 PM
Edge version 80 stable released Version 80.0.361.48 (Official build) (64-bit)
This is such an awesome news. the gap between Chrome and Edge's release is very minimal, hopefully it will be less in the future.