Microsoft has confirmed the latest security update for the Edge web browser but takes issue with the industry-standard CVSS severity ratings applied to some vulnerabilities.

Microsoft Edge recently overtook Apple Safari to become the second most-used web browser on the planet, with in excess of 150 million users. Google’s Chrome browser is way out in front with more than three billion users. Both, however, are based around the same Chromium engine under the hood. So, when Google issues a Chrome security update to fix multiple high and critical-rated vulnerabilities, Microsoft will inevitably do likewise within a few days. This month, Google fixed a total of 14 such security issues while, 48 hours later, Microsoft started rolling out an update addressing 10 of the vulnerabilities that also affected Edge users. This might lead you to the conclusion that Edge, at least this month, has proven to be somehow ‘more secure’ than Chrome.

But hold your horses, technology, and especially when talking about security, is rarely that clear cut. In total, Microsoft issued a fix for 12 vulnerabilities, two of which are Edge specific and have been given a Common Vulnerability Scoring System (CVSS) rating of high. Microsoft, however, downplays the severity of these security issues that could, if successfully exploited, lead to an attacker exploiting malicious code outside of the Edge security sandbox. So, what’s going on here?

Not all security vulnerabilities are the same

That a vulnerability scoring system exists is evidence, should you have needed it, that not all security issues are the same. Well, certainly not with regard to the risks that they pose to your systems and data. Lots of organizations use these CVSS ratings to help inform their system patching prioritization, although it isn’t the only metric by any means. However, when that official rating is downplayed by the vendor releasing the patch, this could serve to muddy the waters further. In the case of the Edge version 103.0.1264.37 update that started rolling out on 23 June, Microsoft has done just that for the two Edge-specific sandbox escaping, elevation of privilege, vulnerabilities: CVE-2022-30192 and CVE-2022-33638.

Sponsored

Microsoft severity ratings reasoning links back to Edge bounty program

If you follow those CVE links to Microsoft’s security update guide, both entries are rated as only ‘moderate’ by the vendor, rather than the CVSS high-severity rating. Microsoft states that this downgrading is due to “the amount of user interaction or preconditions required to allow this sort of exploitation.” It goes on to add that, “if a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded.” Sorry, but that feels like a major cop-out to me. Seriously, more than a click? Two clicks and your system is compromised, your data is toast, isn’t deserving of a high-severity rating? The reasoning given links back to the Microsoft Edge Bounty Program that rewards security researchers according to the severity of the vulnerability they uncover.

I’m absolutely sure the decision isn’t influenced by the fact that a critical sandbox escaping bug would bring a reward of between $20,000 and $30,000 whereas a moderate one drops to just $5,000 maximum and possibly as low as $1,000. It wouldn’t be overly surprising if others did come to that conclusion, however.

I have reached out to Microsoft for a statement regarding the severity rating of vulnerabilities in Edge.

How to update the Microsoft Edge browser

None of this changes the advice to update your browser as soon as possible. Consumers shouldn’t wait for the rollout to reach their browser in the coming days, but instead, force the installation as per the instructions below. Business users, on the other hand, are advised to follow their patching strategy based on internal risk analysis.

Head to ‘Help and feedback|About Microsoft Edge’ from the three-dot menu top right and if an update is available this will force the process to start. Once downloaded and installed, as always, close all tabs and restart your browser. You’ll know if you are protected as the version number will be Edge 103.0.1264.37

Sponsored

Leave a Reply

Your email address will not be published.