Microsoft has released a new build for the Edge browser. Edge build 113 was released on 5th May. This makes Edge version 113.0.1774.35 the current build for the Edge browser n the stable channel.
The latest upgrade of the Edge browser is in line with the impending Patch Tuesday security updates that will be released on 9th May 2023.
Edge version 113.0.1774.35 resolves security vulnerabilities covered under the Chromium project. It also covers all the previous security threats that have been already patched in previous releases of the Microsoft Edge browser.
Edge security updates are cumulative in nature.
We look at the details of the latest Edge upgrade and the upgrades that happened over the previous month.
Edge version history for April and May 2023
- 6th April 2023 – Microsoft released Edge version 112.0.1722.34 to resolve CVE-2023-28284, CVE-2023-24935, and CVE-2023-28301.
- 14th April 2023 – Edge version 112.0.1722.48 to resolve CVE-2023-29334.
- 19th April 2023 – Edge version 112.0.1722.54 to resolve CVE-2023-2136.
- 21st April 2023 – Edge version 112.0.1722.58 to further update CVE-2023-29334.
- 24th April 2023 – Edge version 109.0.1518.100 updated to resolve CVE-2023-2133 and CVE-2023-2136.
- 4th May 2023 – Microsoft Edge Extended Stable Channel Version112.0.1722.71 contains fix for CVE-2023-29350 and CVE-2023-29354 security threats.
- 5th May 2023 – Edge version 113.0.1774.35 becomes the latest stable release version
–
Security vulnerabilities Edge version 113.0.1774.35
The current update to the Edge browser covers the following vulnerabilities that have been reported under the Chromium project:
CVE-2023-29350
| CVE-2023-29350 | Details |
|---|---|
| Vulnerability type | Elevation of Privileges |
| CVSS Score | 7.5 |
| Severity | Important |
| Publicly disclosed | No |
| Exploited | No |
| Exploitation scope | Exploitation less likely |
| Attack Complexity | High |
| User interaction required | Yes, the user will have to click on a specially crafted URL to be compromised by the attacker |
| Impact | Successful exploitation of this vulnerability could lead to a full compromise of the browser. |
| Microsoft link of security release | Read more about CVE-2023-29350 |
CVE-2023-29354
| CVE-2023-29354 | Details |
|---|---|
| Vulnerability type | Security Feature Bypass Vulnerability |
| CVSS Score | 4.7 |
| Severity | Moderate |
| Publicly disclosed | No |
| Exploited | No |
| User interaction required | Yes, the user would have to click on a specially crafted URL to be compromised by the attacker. |
| Loss of integrity scope | Attacker is able to bypass Content Security Policy (CSP) and Pop-up blocker due to this vulnerability, but cannot modify additional content of the browser itself. |
| Scope change impact | This vulnerability could lead to a browser iFrame sandbox escape, but not a full browser sandbox escape. |
| Microsoft security document | The attacker is able to bypass Content Security Policy (CSP) and Pop-up blocker due to this vulnerability, but cannot modify additional content of the browser itself. |
Progressive update policy
Edge updates are released by Microsoft under the ‘Progressive update policy’ over the course of a few days. This is done to ensure that the updates are released in a phased approach.
The phased release of security updates is planned to monitor the health of systems that have been updated. It helps in preempting any major issues across various system architectures.
This is what Microsoft has to write about the Progressive update policy of the Edge browser:
Each installation of Microsoft Edge is assigned an upgrade value. When we start rolling out incrementally, you’ll see the update when the value on your device falls within the upgrade value range. As the rollout progresses (within a few days), all users will eventually get the update. Browser updates with critical security fixes will have a faster rollout cadence than updates that don’t have critical security fixes. This is done to ensure prompt protection from vulnerabilities.
, You can read more about the progressive update policy for the Edge browser on this page.
Enterprise rollout
Enterprise rollout of the latest Edge security release can take place through any of the following methods:
- Microsoft Intune
- WSUS or Windows Server Update Service
- Configuration manager
- Enterprises that manage distribution via Microsoft Intune are registered for auto-updates. Progressive Rollout is used, and all the users will see an update in a few days.
- Enterprises that manage distribution through WSUS (Windows Server Update Services) or Configuration Manager are not registered for auto-updates. Administrators manage and apply the updates that will be available from the start. Progressive Rollout does not affect this process.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.