[German]Microsoft released Edge 120.0.2210.61 in the stable channel on December 7, 2023. This version closes three vulnerabilities (as well as Chromium vulnerabilities). The new Edge also comes with new guidelines. One relates to a new telemetry function that saves search histories via third-party search providers (active by default). Thanks to the blog readers for the tips.
Chaos with the updates?
I reported a few days ago in the blog post Google Chrome 120.0.6099.62/.63 released that several vulnerabilities (some rated as High) had been closed in Google Chrome 120. Microsoft had the note "Microsoft is aware of the recent Chromium security fixes as of December 6, 2023. We are actively working on releasing a security patch." (see this German reader comment). This notice seems to have disappeared. Robert noted that Edge version 120.0.2210.61 is not yet based on the new Chrome version 120.0.6099.71. However, I have not found any information on this – if I go through the closed vulnerabilities, the Chromium vulnerabilities are also fixed.
Edge 120.0.2210.61 with security fixes
On December 7, 2023, Microsoft announced the release of Edge 120.0.2210.61 in the stable channel. According to the (security) release notes, this version should contain the latest security updates from the Chromium project. In the security release notes, Microsoft states that it has closed the following vulnerabilities.
- CVE-2023-38174: Information disclosure, CVSS:3.1 4.3 / 3.8; Severity: Low; The user must click on a specially crafted URL to be compromised by the attacker. By exploiting this vulnerability, only a limited amount of information is disclosed, no sensitive information can be obtained.
- CVE-2023-35618: Elevation of privilege, Elevation of privilege, Severity: Medium; This vulnerability could lead to a browser sandbox being exited. To do this, a user must visit a manipulated website, download it and open it. Remote code execution is then possible. However, Microsoft writes that the severity has been downgraded because many user interactions or preconditions are probably required to enable exploitation.
- CVE-2023-36880: Information disclosure, CVSS:3.1 4.8 / 4.2; Severity: Low; Attackers would need to gather information about the environment and take additional measures to prepare the target environment. According to Microsoft, no sensitive information can be obtained. Attackers who have successfully exploited the vulnerability may be able to execute code to a limited extent. Microsoft classifies the exploitation as unlikely.
According to this Microsoft page, the vulnerabilities CVE-2023-6512, CVE-2023-6511, CVE-2023-6510, CVE-2023-6509 and CVE-2023-6508 are also fixed. However, these are all vulnerabilities from the Chromium branch of the browser (see Google Chrome 120.0.6099.62/.63 released).
With Edge 120.0.2210.61, two new features have also been implemented, which Microsoft lists in the release notes. Here is a description of these new features:
- RendererAppContainer. For additional security benefits, the native Windows app container is activated by default. However, this can be switched off by policy in the event of compatibility problems – see the note below.
- Updated SmartActionsBlockList policy. The SmartActionsBlockList policy has been updated with new policy option mappings. Administrators can now configure the policy to control smart actions such as definitions on websites (smart_actions_website) or smart actions in PDFs and on websites (smart_actions).
Note: If a company identify a compatibility issue due to code injection by security software, they should contact the software manufacturer directly. Alternatively, they can use the RendererAppContainerEnabledpolicy to balance the security benefits in Microsoft Edge with their other software.
New policies and a telemetry
With Edge 120.0.2210.61, some new guidelines have also been implemented, which Microsoft lists in the release notes. I have extracted the relevant guidelines here:
- AutoDiscardSleepingTabsEnabled – Configure auto discard sleeping tabs
- AutomaticProfileSwitchingSiteList – Configure the automatic profile switching site list
- Edge3PSerpTelemetryEnabled – Edge 3P SERP Telemetry Enabled
- PostQuantumKeyAgreementEnabled – Enable post-quantum key agreement for TLS
- WebAppSettings – Web App management settings
The descriptions can be found in the linked sections. However, I would like to mention the Edge 3P SERP Telemetry Enabled policy. Blog reader Michael P. emailed me this morning about a special feature in the new guidelines (thank you) and wrote: Interesting is the new telemetry feature that can be turned off via GPO or in the menu (not found where that is supposed to be in a hurry). This refers to the policy EEdge3PSerpTelemetryEnabled.
As of Edge 120.0.2210.61, Edge3P telemetry collects search queries that the user performs with third-party providers without identifying the person or device. The collection should only take place if the user has consented to this data collection. The user can deactivate the collection at any time in the browser settings.
However, telemetry is active by default, as Microsoft writes: "If you enable or do not configure this policy, the Edge 3P SERP telemetry feature will be enabled". To prevent the Edge 3P SERP telemetry feature from collecting search history, administrators must disable this policy. This can be done via GPO Edge3PSerpTelemetryEnabled under Administrative Templates/Microsoft Edge/ or in the following registry branch:
The 32-bit DWORD value Edge3PSerpTelemetryEnabled must be set to 0x0 in order to prevent detection. A value of 1 or a missing entry allows telemetry.
Cookies helps to fund this blog: Cookie settings