Microsoft has confirmed the latest security update for the Edge web browser, but disputes the industry-standard CVSS severity ratings applied to certain vulnerabilities.
Microsoft Edge recently overtook Apple Safari to become second most used web browser on the planet, with more than 150 million users. Google’s Chrome browser is far ahead with over three billion users. Both, however, are based on the same Chromium engine under the hood. So when Google releases a Chrome security update to fix several high and critical vulnerabilities, Microsoft will inevitably do the same in a few days. This month, Google patched a total of 14 such security issues while, 48 hours later, Microsoft began rolling out an update fixing 10 of the vulnerabilities that also affected Edge users. This might lead you to the conclusion that Edge, at least this month, has proven to be somehow “more secure” than Chrome.
But hold your horses, technology, and especially when it comes to security, is rarely so clear cut. In total, Microsoft has released a patch for 12 vulnerabilities, two of which are Edge-specific and have received a high CVSS (Common Vulnerability Scoring System) rating. However, Microsoft is downplaying the severity of these security issues which, if successfully exploited, could lead to an attacker exploiting malicious code outside of the Edge security sandbox. So what’s going on here?
Not all security vulnerabilities are the same
The existence of a vulnerability rating system is proof, if you needed it, that not all security issues are the same. Well, certainly not when it comes to the risks they pose to your systems and data. Many organizations use these CVSS ratings to help inform their system’s patch prioritization, although this is by no means the only metric. However, when this official note is downplayed by the vendor releasing the patch, it could contribute to further muddying the waters. In the case of the Edge version 103.0.1264.37 update that started rolling out on June 23, Microsoft did exactly that for both Edge-specific escape, privilege elevation, and vulnerabilities: CVE-2022-30192 and CVE-2022-33638.
Microsoft gravity ratings reasoning points to Edge bounty program
If you follow these CVE links to Microsoft’s security update guide, both entries are rated as “moderate” by the vendor, rather than the high CVSS severity rating. Microsoft says this downgrade is due to “the amount of user interaction or prerequisites required to enable this type of exploitation.” He adds that “if a bug requires more than one click, keypress, or multiple prerequisites, the severity will be reduced.” Sorry, but that seems like a major loophole to me. Seriously, more than a click away? Two clicks and your system is compromised, your data is fried, don’t they deserve a high severity rating? The reasoning given refers to the Microsoft Edge Bounty Program which rewards security researchers based on the severity of the vulnerability they discover.
I am absolutely sure that the decision is not influenced by the fact that a critical sandbox escape bug would bring a reward between $20,000 and $30,000 while a moderate bug drops to only 5,000 $ maximum and maybe as low as $1,000. It wouldn’t be too surprising if others came to this conclusion, however.
I contacted Microsoft for a statement regarding vulnerability severity rating in Edge and here is what a spokesperson said:
“There was no ‘downgrade’ with our severity rating for these vulnerabilities. Our severity rating differs from the CVSS rating due to the amount of interaction or prerequisites required to exploit the reported vulnerabilities. The CVSS rating system does not allow for this type of nuance, which is explained in our Security Update Guide entry.
The severity and impact of an issue on security is independently assessed by the appropriate product engineering team. Premiums are not considered in our severity designation process. They are based on the engineering team’s safety impact assessment.
How to Update Microsoft Edge Browser
None of this changes the advice to update your browser as soon as possible. Consumers should not wait for the rollout to hit their browser in the next few days, but rather force install by following the instructions below. Professional users, on the other hand, are advised to follow their patching strategy based on an internal risk analysis.
Head to “Help & Feedback | About Microsoft Edge” in the three-dot menu at the top right and if an update is available, it will force the process to start. Once downloaded and installed, as always, close all tabs and restart your browser. You will know if you are protected because the version number will be Edge 103.0.1264.37