Microsoft Edge 109 + Security Baseline: Text Prediction, Microsoft Account And Azure AD Account Linking

Microsoft has now released Edge 109.0.1518.52. It brings new security updates, policies for better manageability, and new features. Since this is an odd-number release, the Security Baseline will be the same as Edge version 107.

Microsoft Edge 109 addresses a total of 14 security vulnerabilities. Out of the 14, 2 are Edge-specific, while 12 are for Chromium-based web browsers. These are discussed in detail down below.

Also, as a reminder, Microsoft Edge version 109 will be the last supported Edge version on Windows 7, 8, and 8.1, as announced earlier. From Edge 110 and onwards, Edge will no longer be supported on the aforementioned operating systems.

This makes it all the more important to upgrade to Edge version 109 at the earliest using the given guide below.

Additionally, Microsoft has also made minor changes to the Security Baseline for Edge v107 and released it. To increase your security, you may also download Microsoft Edge Security Baseline for version 109 from below.

Edge 109 Release Summary

• Complete Release Build: 109.0.1518.52
• Release Date: Thursday, January 12th, 2023
• Compatibility: Windows 11, 10, 8, 8.1, 7 (32-bit and 64-bit), Mac, Linux, iOS, and Android.
• Previous Build: Edge 108
• Bug Fixes: 14. More information about security fixes can be found here.

New in Microsoft Edge 109

In Edge 109, 14 security vulnerabilities have been addressed. Moreover, it also includes 8 new policies, 3 new features, and 2 policies that have become obsolete.

New Features

• Account Linking between a personal Microsoft account (MSA) and Azure Active Directory (AAD) account.

  Users can now link their personal Microsoft account (MSA) to their Azure Active Directory (AAD) account through their place of employment or educational institution.

  Once connected, users who are logged in with their work or school account can earn Microsoft Rewards points for using Microsoft Bing or Windows search box.

  Tenant admins can also manage this functionality by utilizing the “LinkedAccountEnabled” policy or the Message Center component of the Microsoft 365 Admin Center.

• Changes to TLS server certificate verification.

  The certificate trust list and the certificate verifier will be separated from the root store of the host operating system in Microsoft Edge version 110. Instead, the browser will offer and ship with the default certificate trust list and the certificate validator.

  To manage when the integrated root store and certificate verifier are utilized, the “MicrosoftRootStoreEnabled” policy is now available for testing.

  The policy will no longer be supported in Microsoft Edge version 111.

• Text prediction.

  Microsoft Edge now offers word and sentence predictions on websites to assist you in writing quickly and accurately. Using the “TextPredictionEnabled” policy, administrators can limit the use of text predictions.

  This is currently only available in the US, India, and Australia in the English language only.

New Policies

The following list of policies has been introduced with Edge 109:

• WebHidAllowAllDevicesForUrls

  Description: This setting allows you to list sites that are automatically granted permission to access all available devices.

  The URLs must be valid or the policy is ignored. Only the origin (scheme, host, and port) of the URL is evaluated.

  This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls, and the user’s preferences.

  Location:

  Administrative Templates/Microsoft Edge/Content settings

• WebHidAllowDevicesForUrls

  Description: This setting lets you list the URLs that specify which sites are automatically granted permission to access an HID device with the given vendor and product IDs.

  Setting the policy Each item in the list requires both devices and URL fields for the item to be valid. Otherwise, the item is ignored.

  • Each item in the devices field must have a vendor_id and may have a product_id field.
  • Omitting the product_id field will create a policy matching any device with the specified vendor ID.
  • An item that has a product_id field without a vendor_id field is invalid and is ignored.

  If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies.

  URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

  Location:

  Administrative Templates/Microsoft Edge/Content settings

• WebHidAllowDevicesWithHidUsagesForUrls

  Description: This setting allows you to list the URLs that specify which sites are automatically granted permission to access an HID device containing a top-level collection with the given HID usage.

  Each item in the list requires both usage and URL fields for the policy to be valid.

  • Each item in the usages field must have a usage_page and may have a usage field.
  • Omitting the usage field will create a policy matching any device containing a top-level collection with usage from the specified usage page.
  • An item that has a usage field without a usage_page field is invalid and is ignored.

  If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies.

  URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

  Location:

  Administrative Templates/Microsoft Edge/Content settings

• MicrosoftRootStoreEnabled

  Description: When this policy is set to enabled, Microsoft Edge will perform verification of server certificates using the built-in certificate verifier with the Microsoft Root Store as the source of public trust.

  When this policy is set to disabled, Microsoft Edge will use the system certificate verifier and system root certificates. When this policy is not set, the Microsoft Root Store or system-provided roots may be used.

  This policy will be removed in Microsoft Edge for Microsoft Windows and macOS once support for using the platform-supplied certificate verifier and roots are planned to be removed.

  Location:

  Administrative Templates/Microsoft Edge/

• DefaultClipboardSetting

  Description: This policy controls the default value for the clipboard site permission.

  Setting the policy to “2” blocks sites from using the clipboard site permission.

  Setting the policy to “3” or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use an API.

  This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.

  This policy only affects clipboard operations controlled by the clipboard site permission and doesn’t affect sanitized clipboard writes or trusted copy-and-paste operations.

  Policy options mapping:

  • BlockClipboard (2) = Do not allow any site to use the clipboard site permission
  • AskClipboard (3) = Allow sites to ask the user to grant the clipboard site permission

  Location:

  Administrative Templates/Microsoft Edge/

• ClipboardAllowedForUrls

  Description: Configure the list of URL patterns that specify which sites can use the clipboard site permission.

  Setting the policy lets you create a list of URL patterns that specify which sites can use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission.

  Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies.

  Location:

  Administrative Templates/Microsoft Edge/

• ClipboardBlockedForUrls

  Description: Configure the list of URL patterns that specify which sites can use the clipboard site permission.

  Setting the policy lets you create a list of URL patterns that specify sites that can’t use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission.

  Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies.

  Location:

  Administrative Templates/Microsoft Edge/

• SearchFiltersEnabled

  Description: This policy lets you filter your autosuggestions by selecting a filter from the search filters ribbon. For example, if you select the “Favorites” filter, only favorites suggestions will be shown.

  If you enable or don’t configure this policy, the autosuggestion dropdown defaults to displaying the ribbon of available filters.

  If you disable this policy, the autosuggestion dropdown won’t display the ribbon of available filters.

  Location:

  Administrative Templates/Microsoft Edge/

Obsolete Policies

2 policies have become obsolete with Edge 109:

• SetTimeoutWithout1MsClampEnabled
• ExemptDomainFileTypePairsFromFileTypeDownloadWarnings

Security Enhancements

The following 14 security vulnerabilities have been addressed in Edge 109:

1. CVE-2023-21775 – Remote Code Execution Vulnerability
2. CVE-2023-21796 – Elevation of Privilege Vulnerability
3. CVE-2023-0129 – Heap buffer overflow in Network Service
4. CVE-2023-0130 – Inappropriate implementation in Fullscreen API
5. CVE-2023-0131 – Inappropriate implementation in iframe Sandbox
6. CVE-2023-0132 – Inappropriate implementation in Permission prompts
7. CVE-2023-0133 – Inappropriate implementation in Permission prompts
8. CVE-2023-0134 – Use after free in Cart
9. CVE-2023-0135 – Use after free in Cart
10. CVE-2023-0136 – Inappropriate implementation in Fullscreen API
11. CVE-2023-0138 – Heap buffer overflow in libphonenumber
12. CVE-2023-0139 – Insufficient validation of untrusted input in Downloads
13. CVE-2023-0140 – Inappropriate implementation in File System API
14. CVE-2023-0141 – Insufficient policy enforcement in CORS

Update to Edge 109

If you already have Microsoft Edge on your PC, you can simply upgrade it to the latest build using the guide given further down below. If not, use the links given in the next section to install it now.

Microsoft Edge comes preinstalled in Windows 11 and 10. Learn how to uninstall Microsoft Edge. If you wish to reinstall Edge, you can go here.

1. Open About Microsoft Edge.

   

   Click on the ellipses in the top-right corner of the browser, expand Help and feedback, and then click About Microsoft Edge.

2. Edge will automatically download and install the latest version. Click Restart when it’s done.

   

   Edge will now begin to scan for an update, and then download and install it if one is available. Once the download is completed, you will need to Restart the browser.

Once it relaunches, you can return to the About page and check that it has been updated to version 109.0.1518.52.

If you want to download Edge 109 for offline installation, you can visit the following page which lists several methods to download and upgrade your Microsoft Edge browser.

Download Microsoft Edge Browser.

Download Security Baseline for Microsoft Edge 109

Security baselines are Microsoft-recommended configuration settings that add an additional layer of security to your environment. However, Microsoft has made minor changes to Microsoft Edge v107 Security Baseline and it is still their recommended baseline for Edge 109, as noted in their announcement.

This Baseline now includes 7 new computer settings and 7 new user settings. The following table contains the details of the new security settings included in Edge v107 Security Baseline:

To gain more control over the browser and your PC, you can install this security baseline using the given steps:

1. Open the page for Microsoft Security Compliance Toolkit 1.0 and click Download.

   

2. Select Microsoft Edge v107 Security Baseline.zip.

   

   Check the box next to Microsoft Edge v107 Security Baseline.zip (and any other baselines you may require) and then click Next.

3. Extract the downloaded file.

   

   Your download should now begin. When downloaded, extract the files into a separate folder.

4. Navigate to the following location with the extracted folder:

   Microsoft Edge v107 Security Baseline >> Scripts

5. Run Baseline-LocalInstall with PowerShell.

   

   Right-click Baseline-LocalInstall and click on Run with PowerShell from the context menu.

   To run the baseline for Active Directory, you should run the Baseline-ADImport script instead.

The script will now run automatically. Wait for the PowerShell window to close on its own, and the security baseline for Microsoft Edge 109 will now be installed.

Conclusion

Microsoft Edge 109 does not introduce any significant new features. However, it does address some critical and high-level vulnerabilities that could potentially be exploited. Therefore, it is recommended that you update your Edge browser immediately to keep your system safe.

Also see:

• Microsoft Edge 105 Released With Critical Security Fixes, Security Baseline; Still Might Crash
• Download Microsoft Edge 106 That Rewrites Defender SmartScreen Library
• Download Microsoft Edge 90: SSO + PDF Printing + Security Baseline
• Download Microsoft Edge 98 Security Baseline
• Download Microsoft Edge 106 Security Baseline