{"id":243236,"date":"2026-07-14T17:26:00","date_gmt":"2026-07-14T21:26:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/14\/public-sector-agencies-inherited-a-browser-credential-risk-a-patch-isnt-enough-to-close-it\/"},"modified":"2026-07-14T17:45:09","modified_gmt":"2026-07-14T21:45:09","slug":"public-sector-agencies-inherited-a-browser-credential-risk-a-patch-isnt-enough-to-close-it","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/14\/public-sector-agencies-inherited-a-browser-credential-risk-a-patch-isnt-enough-to-close-it\/","title":{"rendered":"Public sector agencies inherited a browser credential risk. A patch isn\u2019t enough to close it."},"content":{"rendered":"<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/public-sector-agencies-inherited-a-browser-credential-risk-a-patch-isnt-enough-to-close-it\/\">Public sector agencies inherited a browser credential risk. A patch isn\u2019t enough to close it.<\/a><\/p>\n<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/public-sector-agencies-inherited-a-browser-credential-risk-a-patch-isnt-enough-to-close-it\/\">https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/07\/public-sector-agencies-inherited-a-browser-credential-risk-a-patch-isnt-enough-to-close-it\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-14 17:26:00<\/a><\/p>\n<p>Source Domain: <a href=\"federalnewsnetwork.com\">federalnewsnetwork.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>                    Microsoft Edge is the default web browser across a significant portion of the public sector IT estate, arriving as part of the Windows environment rather than through a standalone security decision. How it manages credentials in memory was not a question that process was designed to surface.<br \/>\nIn early May 2026, Norwegian security researcher Tom J\u00f8ran S\u00f8nstebyseter R\u00f8nning demonstrated that Edge loads the entire saved password vault into plaintext process memory at launch and holds it there for the full session. Chrome and Brave, both Chromium-based like Edge, use app-bound encryption and decrypt credentials only at the moment of autofill. Edge was doing neither. R\u00f8nning published a proof-of-concept tool showing that credentials could be extracted from that memory without sophisticated exploitation, only the ability to read process memory with elevated privileges.<br \/>\nMicrosoft\u2019s initial response was that the behavior was by design, and that administrator-level access to a device was already outside the browser\u2019s threat model. Less than two weeks later, under public pressure, the company reversed that position and announced that Edge version 148 would stop loading passwords into memory at startup.<br \/>\nThe fix is noteworthy. But for public sector security teams, it raises questions that version 148 doesn\u2019t answer: about the specific environments where this exposure was most consequential, about the threat market already built to exploit it, and about how a browser\u2019s credential handling behavior became a governance blind spot in the first place.]]><\/p>\n<p>What \u201cby design\u201d meant in practice<br \/>\nMicrosoft\u2019s \u201cby design\u201d position addressed the precondition: If an attacker already has administrator-level access, the device is compromised, and the browser isn\u2019t the last line of defense. That is true and largely beside the point. The more relevant question is what that access yields, and Edge\u2019s memory behavior made the answer considerably worse.<br \/>\nThe difference between Edge\u2019s always-decrypted vault and the decrypt-on-demand model used by Chrome and Brave is the difference between a persistent target and a narrow window. An attacker scraping process memory from a Chrome session needs to catch a specific autofill event. On Edge, the full vault is already in plaintext at any point during the session.<br \/>\nThe threat market doesn\u2019t need sophisticated targeting capabilities to exploit this. Infostealer malware is available through underground forums for a few hundred dollars a month, requires no meaningful technical skill to deploy, and is explicitly engineered to scrape browser process memory for credentials. In the first half of 2025 alone, 1.8 billion credentials were stolen globally through these tools. Edge\u2019s architecture made an already productive attack vector more productive still, against exactly the kind of environments public sector organizations run.<br \/>\nWhere public sector environments are specifically exposed<br \/>\nShared machines are common across many sectors. What distinguishes public sector environments is what sits behind the credentials stored on them. Benefits offices, licensing departments and administrative service desks run shared physical machines across multiple shifts, often connected to terminal server environments where disconnected sessions remain loaded in memory. Any attacker who achieves administrative access in this environment can effectively reach every session on that machine, including those belonging to users who logged off hours earlier.<br \/>\nWhat those credentials unlock is the more specific problem. Public sector IT estates are accumulations built across decades of procurement cycles, rarely segmented cleanly, with access entitlements that expand over time and seldom contract. Administrative credentials frequently cover broader territory than anyone originally mapped. A credential harvested from a browser in that environment is often a starting point for lateral movement across systems that share authentication or were never formally reviewed against each other.<br \/>\nStaff turnover extends the exposure window further. Public sector organizations carry significant volumes of contractors, temporary staff and rotating workers, and browser-stored credentials on shared machines are rarely cleared during offboarding. The vault Edge maintained in plaintext memory may contain active credentials belonging to people no longer employed there.<br \/>\nThe credentials in scope provide access to benefits records, health information and licensing data belonging to citizens who had no choice but to provide it. When that data is compromised through a shared workstation in a benefits office or licensing department, the people affected are not constituents who can take their business elsewhere.]]><\/p>\n<p>Browser policy is a credential governance decision<br \/>\nThe Edge 148 fix does not deploy itself. IT managers with centrally managed estates through Group Policy or Intune have the mechanism to push the update, but only if browser policy has been formally configured at that level. Many agencies haven\u2019t reached that point, which means the update may be sitting on individual machines waiting for a user-initiated restart, or may not have reached devices that are infrequently network-connected. Confirming version 148 is running across the estate is the first step, and it requires active verification.<br \/>\nThe more consequential decision is what to do about the built-in browser password manager. In most public sector environments, that question has never been formally asked. Staff save credentials in the browser because it is convenient, and nothing in the default configuration prevents it. The result is a credential store that grew outside any formal inventory, on a browser whose memory behavior was never evaluated as a security control. Disabling Edge\u2019s built-in password manager through Group Policy is a straightforward technical fix. The wider operational change is a documented policy decision that assigns ownership, covers shared and terminal server machines specifically, and integrates browser credential hygiene into onboarding and offboarding procedures.<br \/>\nThat policy gap existed before Edge 148 and will persist after it without deliberate action.<br \/>\nWhat comes next<br \/>\nMicrosoft\u2019s reversal confirmed that Edge\u2019s behavior was unnecessary exposure. The company knew it once a working proof-of-concept made the risk visible, and it shipped a fix within two weeks. A design position held for years was abandoned in a fortnight. That timeline is its own kind of signal.<br \/>\nEdge 148 addresses the forward exposure, but it doesn\u2019t answer what was accessible during the period the behavior was active, nor does it substitute for the policy decisions outlined above. For agencies running shared machines across fragmented estates, with credential stores that grew outside any formal inventory, the patch is the beginning of the work rather than the end of it.<br \/>\nMicrosoft\u2019s sudden turnaround set a standard of its own. The agencies that match it will be in a better position than those still waiting for a second proof-of-concept.<br \/>\nChris Skipworth is CEO of Passpack.<br \/>\n                    Copyright<br \/>\n                            \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Public sector agencies inherited a browser credential risk. A patch isn\u2019t enough to close it&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":243237,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2025\/01\/IIG_Microsoft-FederaL_GettyImages-2040555990.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,36,32],"class_list":["post-243236","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-infostealer","tag-malware"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243236"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=243236"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243236\/revisions"}],"predecessor-version":[{"id":243238,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243236\/revisions\/243238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/243237"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=243236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=243236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=243236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}