Microsoft Edge 84.0.522.40 released

[German]Microsoft issued a security advisory on July 16, 2020, which indicates the new security update for the Chromium Edge Browser to version 84.0.522.40.

I had been expecting a security update of the Edge for days, because once Microsoft ended the announced pause (Microsoft pauses new Edge builds in the Dev and Beta channel) regarding Edge development the days. Also, an update of the Chrome browser was released during the days (see Chrome 84.0.4147.89 released).

Microsoft's security advice

In the security advisory dated July 16, 2020, Microsoft discloses only the following information:

******************************************************************
Title: Microsoft Security Update Releases
Issued: July 16, 2020
******************************************************************

Summary: The following CVEs have undergone a major revision increment:

* ADV200002
* CVE-2020-1341

Revision Information:
=====================
* Microsoft Security Advisory ADV200002
– ADV200002 | Chromium Security Updates for Microsoft Edge based on Chromium
– Reason for Revision: Updated advisory to announce a new version of Microsoft Edge
   (Chromium-based). Please see the table for more information.
– Originally posted: January 28, 2020
– Updated: July 16, 2020
– Version: 17.0

* CVE-2020-1341
– CVE-2020-1341 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: July 16, 2020
– Updated: N/A
– Aggregate CVE Severity Rating: Moderate

At ADV200002  there is then the information that the Microsoft Edge 84.0.522.40 is based on the Chromium browser 84.0.4147.89 and is a critical security update. It closes the following vulnerabilities:

CVE-2020-6510, CVE-2020-6511, CVE-2020-6512, CVE-2020-6513,
CVE-2020-6514, CVE-2020-6515, CVE-2020-6516, CVE-2020-6517,
CVE-2020-6518, CVE-2020-6519, CVE-2020-6520, CVE-2020-6522, CVE-2020-6523, CVE-2020-6524, CVE-2020-6525, CVE-2020-6526, CVE-2020-6527, CVE-2020-6528, CVE-2020-6529, CVE-2020-6530, CVE-2020-6531, CVE-2020-6533, CVE-2020-6534, CVE-2020-6535, CVE-2020-6536

An immediate update is recommended for security reasons.

What else you should know

Microsoft has used the break to make many changes to the new Edge. These are listed below and documented in these release notes.

• This version of Microsoft Edge provides improved site list download times for Internet Explorer mode. We've reduced download delay for the Internet Explorer mode site list to 0 seconds (down from a 60-second wait) in the absence of a cached site list. We've also added group policy support for cases when Internet Explorer mode home page navigations need to be delayed until the site list is downloaded. For more information, see the DelayNavigationsForInitialSiteListDownload policy.

• Microsoft Edge now allows users to sign-into the browser when it's "run as administrator" on Windows 10. This will help customers running Microsoft Edge on Windows server or in remote-desktop and sandbox scenarios.

• Microsoft Edge now provides full mouse support when in full screen mode. Now you can use your mouse to access tabs, the address bar, and other items without having to exit full screen mode.

• Online purchase improvement. Add custom nicknames to saved debit or credit cards. Now you can distinguish and differentiate your credit cards when making online purchases. Nicknaming your debit or credit cards lets you choose the correct card when using autofill to select a payment method.

• TLS/1.0 and TLS/1.1 are disabled by default. To help discover impacted sites, you can set the edge://flags/#display-legacy-tls-warnings flag to cause Microsoft Edge to display a non-blocking "Not Secure" notice when loading pages that require legacy TLS protocols. The SSLVersionMin policy permits re-enabling of TLS/1.0 and TLS/1.1. This policy will remain available until at least Microsoft Edge version 88. For more information, see Site compatibility-impacting changes coming to Microsoft Edge.

• Collections improvements:

  • A note capability is added that lets you add a note or comment to an item in a collection. Notes are grouped together and stay attached to an item even if you sort the items in a collection. To try this new feature, right-click on an item and select "Add note".
  • You can change the background color of notes in collections. You can use color coding to help you organize information and increase productivity.
  • There are noticeable performance improvements, which lets you export your collections to Excel in less time than in previous versions of Microsoft Edge.

• Additional Microsoft Edge API support:

  • The Storage Access API. This API allows access to first-party storage in a third-party context when a user provides a direct intent to allow storage that would otherwise be blocked by the browser's current configuration.

    As privacy is becoming increasingly important to users, requests for stricter browser defaults and user opt-in settings like blocking all third-party storage access are increasingly common. While these settings help improve privacy and block unwanted access by unknown or untrusted parties, they can have unwanted side effects such as blocking access to content the user may want to view (for example, social media and embedded media content.)

  • The Native File System API, which means you can give sites permissions to edit files or folders via the Native File System API.

• PDF improvements:

  • Read Aloud for PDF lets users listen to PDF content while carrying out other tasks that may be important for them. It also helps audio visual learners focus on reading the content, making learning easier.
  • PDF file editing is improved. Now you can save an edit made to a PDF back to the file instead of saving a copy each time you edit the PDF.

• Microsoft Edge now enables Translation in the Immersive Reader. When a user opens the Immersive Reader view, they get the option to translate the page to their desired language.

• Several DevTools updates, including support for customizing keyboard shortcuts to match VS Code and viewing the DevTools in high contrast. For more details, see What's New In DevTools (Microsoft Edge 84).

Policy updates

For administrators in corporate environments, the updates of group policies are relevant. Here is a brief overview:

New policies

Seven new policies were added. Download the updated Administrative Templates from the Microsoft Edge Enterprise landing page. The following new policies were added.

• AppCacheForceEnabled – Allows the AppCache feature to be re-enabled, even if it's turned off by default.
• ApplicationGuardContainerProxy – Configure the settings for the Application Guard Container Proxy.
• DelayNavigationsForInitialSiteListDownload – Require that the Enterprise Mode Site List is available before tab navigation.
• WinHttpProxyResolverEnabled – Use the Windows proxy resolver.
• InternetExplorerIntegrationEnhancedHangDetection – Configure enhanced hang detection for Internet Explorer mode.
• NativeWindowOcclusionEnabled – Enable Hiding of Native Windows.
• NavigationDelayForInitialSiteListDownloadTimeout – Set a timeout for delay of tab navigation for the Enterprise Mode Site List.

Deprecated policies

• AllowSyncXHRInPageDismissal – Allow pages to send synchronous XHR requests during page dismissal.
• BuiltinCertificateVerifierEnabled – Determines whether the built-in certificate verifier will be used to verify server certificates.
• StricterMixedContentTreatmentEnabled – Enable stricter treatment for mixed content.

Obsoleted policy

ForceNetworkInProcess – Force networking code to run in the browser process.