Microsoft syncs Edge’s release to Chrome’s cadence
Microsoft last week quietly upgraded its Chromium-based Edge to version 80, the first refresh for the browser since it debuted in a stable format three weeks earlier.
The company upgraded Edge to version 80.0.361.48 on 7 February, just three days after Google upgraded Chrome to version 80.
Since then, developers at both Google and Microsoft have been working on their versions of Chromium 80, each using a multi-stage cadence of Canary, Dev, Beta and then Stable builds to release progressively more reliable and polished code.
One question that Microsoft has not addressed is how long it would take to get from Chromium to a finished version of Edge, most importantly whether there would be a lag, and if so, how long, between Google launching Chrome and Microsoft releasing Edge. The shorter the lag, the better: Criminals could conceivably exploit a large gap by reverse engineering Chrome’s fixes for that version’s security vulnerabilities, then applying the results to a not-yet-patched Edge.
The first Chrome security update issued after Edge’s 15 January launch was on 16 January. Microsoft delivered an update for the same vulnerabilities on 17 January. Although the narrow window between the two was encouraging, what was still unknown was the length of the lag between Google promoting a new version of Chrome to the Stable branch and Microsoft following suit.
That lag turned out to be only three days.
On 4 January, Google released Chrome 80.0.3987.87, with new features as well as 56 security fixes. Google listed 37 of the 56 with CVE (Common Vulnerabilities & Exposures) identifiers. Ten of the 37 were marked “High,” the second-most-serious ranking in Chrome’s (and Chromium’s) four-step rating system.
In Microsoft’s ongoing Edge security advisory, the firm reported that Edge 80.0.361.48 also included fixes for the same 37 CVEs. (Presumably, Microsoft also patched the 29 bugs for which Google did not list CVEs.)
What Microsoft has yet to do is describe what non-security changes were made to Edge between versions 79 and 80. (To be fair, Google has not done the same for Chrome 80, in part because it tends to tout new features and functionality when they reach the browser’s Beta build.)
A commentary on the support page titled “Release notes for Microsoft Edge Security Updates,” for example, was laughably short, and in the advisory Microsoft took to linking to Google’s notes for Chrome 80.
Some ideas about changes made in Edge 80 can be gleaned by searching the browser’s group policies’ documentation using the string “since version 80.” Doing so signalled that Edge 80 will likely began to enforce the SameSite cookie control standard around the same time as does Chrome, and that it will also tackle mixed content, notably blocking downloads of files over non-encrypted connections, as Chrome is to do in March.
The near-to-Chrome release of Edge 80 also means that users of the latter should expect upgrades on the same rhythm as Chrome users do their browser, and close to the same dates.
The next several versions of Chrome are scheduled to release on these dates. Microsoft should upgrade Edge with days of them.
Chrome 81: 17 March
Chrome 82: 28 April
Chrome 83: 9 June
Chrome 84: 4 August
Chrome 85: 15 September
IDG News Service