Bug: Outlook functionality mutually excluding secure browser configuration.

Silver Contributor

Hi, folks.

 

This topic relates to a bug with the interoperability between Outlook and Microsoft Edge introduced somewhere around 2023 Q3.

 

I've documented the issue in the Microsoft Feedback Portal, however, I anticipate that issues are only cherry-picked by the number of votes and not the criticality, so I figured it might be worth cross-posting here and possibly also in Q&A:

 

 

Description

Microsoft Edge provides group policy settings for enforcing InPrivate browsing, which I use in conjunction with forced cache clearing on browser closure to ensure residual data (such as cookies and possibly other personal information) are not retained.

 

This works well, and up until recently bore no impact on Outlook.

 

Around July 2023, after an Office update, a high-impact bug was introduced for Edge InPrivate users where if you receive an e-mail with a hyperlink, and you click that hyperlink within the Outlook "read" view, it causes all Edge processes to terminate.

 

Reproduction

  • Ensure the following group policies Computer Configuration > Policies > Administrative Templates > Microsoft Edge under are set:
    • Clear browsing data when Microsoft Edge closes = Enabled;
    • Configure InPrivate mode availability = InPrivate mode forced; 
  • Ensure the policy has applied to your client before proceeding;
  • In Edge, browse to any page you like - you just need Edge open to see the bug's impact;
  • In Outlook, navigate to any e-mail that contains a hyperlink;
  • Click on the hyperlink.

What you will observe

  • Edge freezes for a short period;
  • All Edge processes terminate ungracefully, with all data being lost.

Workaround

  • In Edge, open a page (any page you like will suffice);
  • In Outlook, navigate to any e-mail that contains a hyperlink;
  • For that e-mail, choose one of the "sending" actions such as Forward or Reply;
  • Ctrl + click the hyperlink;
  • Observe that it now opens in InPrivate Edge just fine;
  • Press the Esc key to exit e-mail composition mode.

Impact

The issue may not be widespread but it is very high-impacting for in-scope users who frequently suffer data loss through the forcible closure of all Edge processes.

 

Conclusion

Organisations should not be forced by one product team (Outlook) to disable the security mechanics of another product (Edge).

 

The workaround is not intuitive for users and hasn't significantly precluded the loss of information.

 

This issue needs fixing.

 

Cheers,

Lain

0 Replies