The advisory will be updated when Microsoft releases a new version of Edge that includes publicly disclosed security updates from the Chromium project.
Microsoft has posted a security advisory that will record all updates to its new Chromium-based Edge browser, giving customers a way to monitor whether the company keeps up with Google’s patching of Chrome.
“This advisory will be updated whenever Microsoft releases a version of Microsoft Edge which incorporates publicly disclosed security updates from the Chromium project,” the Redmond, Wash. firm wrote on the support document.
As of mid-day Wednesday, only one listing populated the advisory. The item, dated Jan. 17, called out four CVE-identified vulnerabilities. (CVE, for “Common Vulnerabilities and Exposures,” is the most-used bug-naming standard.)
The advisory also noted the Edge version number that included the patches and the corresponding version of Chromium that also quashed the bugs. Because Chrome assumes Chromium’s version numbers without change – for some reason, Edge does not – the advisory was the first way Computerworld found to link a specific version of Edge to one of Chrome.
Google released Chrome 79.0.3945.130 – the Chromium version listed in the advisory – on Jan. 16, saying here that the interim update included patches for 11 vulnerabilities. As usual, Google only identified four of the 11 by CVE. The quartet matched the four CVEs that Microsoft said were addressed in Edge.
Meanwhile, the Edge update, which Microsoft released Jan. 17 – one day after Chrome’s – was marked as version 79.0.309.68.
(That’s not the most current Edge; Microsoft updated the browser again on Jan. 23 to 79.0.309.71. However, there was no sign that that version patched any vulnerabilities. For a complete listing of Edge updates, users can steer to the Microsoft Update Catalog; Computerworld has pre-filtered the results to show only those for the Stable build of the browser.)
Microsoft patched Edge just a day after Google refreshed Chrome, indicating that the former browser will not substantially lag behind the latter. If it had, attackers might have been able to use the interval to reverse engineer a patch, uncover the vulnerability and craft an exploit.
Still unknown is the size of the gap between Google promoting a new version of Chrome to the Stable branch and Microsoft following suit with Edge.
On Tuesday, Google released Chrome 80 – specifically, version 80.0.3987.87 – with new features as well as 56 security fixes. Google listed 37 of the 56 with CVE identifiers. Ten of the 37 were marked “High,” the second-most-serious ranking in Chrome’s four-step rating system.
As of 2 p.m. ET Wednesday, Microsoft had not updated Edge to reflect the Chrome’s shift to version 80. Computerworld will continue to monitor Edge and how, or even if, it keeps pace with Chrome.