A security researcher has discovered that Microsoft Edge will load all your stored passwords into memory in plaintext at startup, making it easy for malware to scrape those passwords.
You assume malware that comes from somewhere else and has full access to the entire system by the time it tries to attack the browser. If your default scenario is that the system has been completely compromised by arbitrarily complex malware, there’s no point in security measures at all because they’ve already failed by definition.
What about malware that runs inside the browser, e.g. after exploiting a vulnerability in the JS runtime? Peeking at the browser’s memory would be easier than breaking out of containment and obtaining control of the entire system. It would even be easier than obtaining control of the browser to a degree where you can access credentials without user intervention. Even if we assume that it’s as simple as reading the key from an easily found location and the credentials from another easily found location, that’s more work than just reading the credentials. And it becomes harder if the locations are less easily found.
Also, a defense doesn’t have to offer perfect protection in order to be worthwhile. It’s all a game of likelihoods; making an attack harder means it’s less likely to be done. Any additional step the attacker needs to take offers more protection because the attacker actually needs to take it. Microsoft actively worked to reduce the number of steps an attacker needs to take, which is worth calling out.
Defense in depth is important. Don’t insist that one single safety mechanism should protect against everything when layering them is known to be more effective.
If you’ve already got malware on your machine that can exploit this, how or where the passwords in your browser are exposed is entirely irrelevant.
This is just another one of these non-issue “vulnerabilities” where your computer has to already be completely cracked wide open to be exploited.
You assume malware that comes from somewhere else and has full access to the entire system by the time it tries to attack the browser. If your default scenario is that the system has been completely compromised by arbitrarily complex malware, there’s no point in security measures at all because they’ve already failed by definition.
What about malware that runs inside the browser, e.g. after exploiting a vulnerability in the JS runtime? Peeking at the browser’s memory would be easier than breaking out of containment and obtaining control of the entire system. It would even be easier than obtaining control of the browser to a degree where you can access credentials without user intervention. Even if we assume that it’s as simple as reading the key from an easily found location and the credentials from another easily found location, that’s more work than just reading the credentials. And it becomes harder if the locations are less easily found.
Also, a defense doesn’t have to offer perfect protection in order to be worthwhile. It’s all a game of likelihoods; making an attack harder means it’s less likely to be done. Any additional step the attacker needs to take offers more protection because the attacker actually needs to take it. Microsoft actively worked to reduce the number of steps an attacker needs to take, which is worth calling out.
Defense in depth is important. Don’t insist that one single safety mechanism should protect against everything when layering them is known to be more effective.