Microsoft Edge 109 + Security Baseline: Text Prediction, Microsoft Account And Azure AD Account Linking

If you are using Microsoft Edge, you will automatically get the updated version with Windows Update. Alternatively, you can go to Menu > Help & Feedback > About Microsoft Edge to check for updates manually.

Microsoft Edge Generic

Microsoft has now released Edge 109.0.1518.52. It brings new security updates, policies for better manageability, and new features. Since this is an odd-number release, the Security Baseline will be the same as Edge version 107.

Microsoft Edge 109 addresses a total of 14 security vulnerabilities. Out of the 14, 2 are Edge-specific, while 12 are for Chromium-based web browsers. These are discussed in detail down below.

Also, as a reminder, Microsoft Edge version 109 will be the last supported Edge version on Windows 7, 8, and 8.1, as announced earlier. From Edge 110 and onwards, Edge will no longer be supported on the aforementioned operating systems.

This makes it all the more important to upgrade to Edge version 109 at the earliest using the given guide below.

Additionally, Microsoft has also made minor changes to the Security Baseline for Edge v107 and released it. To increase your security, you may also download Microsoft Edge Security Baseline for version 109 from below.

Edge 109 Release Summary

  • Complete Release Build: 109.0.1518.52
  • Release Date: Thursday, January 12th, 2023
  • Compatibility: Windows 1110, 8, 8.1, 7 (32-bit and 64-bit), Mac, Linux, iOS, and Android.
  • Previous Build: Edge 108
  • Bug Fixes: 14. More information about security fixes can be found here.

New in Microsoft Edge 109

In Edge 109, 14 security vulnerabilities have been addressed. Moreover, it also includes 8 new policies, 3 new features, and 2 policies that have become obsolete.

New Features

  • Account Linking between a personal Microsoft account (MSA) and Azure Active Directory (AAD) account.

    Users can now link their personal Microsoft account (MSA) to their Azure Active Directory (AAD) account through their place of employment or educational institution.

    Once connected, users who are logged in with their work or school account can earn Microsoft Rewards points for using Microsoft Bing or Windows search box.

    Tenant admins can also manage this functionality by utilizing the “LinkedAccountEnabled” policy or the Message Center component of the Microsoft 365 Admin Center.

  • Changes to TLS server certificate verification.

    The certificate trust list and the certificate verifier will be separated from the root store of the host operating system in Microsoft Edge version 110. Instead, the browser will offer and ship with the default certificate trust list and the certificate validator.

    To manage when the integrated root store and certificate verifier are utilized, the “MicrosoftRootStoreEnabled” policy is now available for testing.

    The policy will no longer be supported in Microsoft Edge version 111.

  • Text prediction.

    Microsoft Edge now offers word and sentence predictions on websites to assist you in writing quickly and accurately. Using the “TextPredictionEnabled” policy, administrators can limit the use of text predictions.

    This is currently only available in the US, India, and Australia in the English language only.

New Policies

The following list of policies has been introduced with Edge 109:

  • WebHidAllowAllDevicesForUrls

    Description: This setting allows you to list sites that are automatically granted permission to access all available devices.

    The URLs must be valid or the policy is ignored. Only the origin (scheme, host, and port) of the URL is evaluated.

    This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls, and the user’s preferences.

    Location:

    Administrative Templates/Microsoft Edge/Content settings
  • WebHidAllowDevicesForUrls

    Description: This setting lets you list the URLs that specify which sites are automatically granted permission to access an HID device with the given vendor and product IDs.

    Setting the policy Each item in the list requires both devices and URL fields for the item to be valid. Otherwise, the item is ignored.

    • Each item in the devices field must have a vendor_id and may have a product_id field.
    • Omitting the product_id field will create a policy matching any device with the specified vendor ID.
    • An item that has a product_id field without a vendor_id field is invalid and is ignored.

    If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies.

    URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

    Location:

    Administrative Templates/Microsoft Edge/Content settings
  • WebHidAllowDevicesWithHidUsagesForUrls

    Description: This setting allows you to list the URLs that specify which sites are automatically granted permission to access an HID device containing a top-level collection with the given HID usage.

    Each item in the list requires both usage and URL fields for the policy to be valid.

    • Each item in the usages field must have a usage_page and may have a usage field.
    • Omitting the usage field will create a policy matching any device containing a top-level collection with usage from the specified usage page.
    • An item that has a usage field without a usage_page field is invalid and is ignored.

    If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies.

    URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.

    Location:

    Administrative Templates/Microsoft Edge/Content settings
  • MicrosoftRootStoreEnabled

    Description: When this policy is set to enabled, Microsoft Edge will perform verification of server certificates using the built-in certificate verifier with the Microsoft Root Store as the source of public trust.

    When this policy is set to disabled, Microsoft Edge will use the system certificate verifier and system root certificates. When this policy is not set, the Microsoft Root Store or system-provided roots may be used.

    This policy will be removed in Microsoft Edge for Microsoft Windows and macOS once support for using the platform-supplied certificate verifier and roots are planned to be removed.

    Location:

    Administrative Templates/Microsoft Edge/
  • DefaultClipboardSetting

    Description: This policy controls the default value for the clipboard site permission.

    Setting the policy to “2” blocks sites from using the clipboard site permission.

    Setting the policy to “3” or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use an API.

    This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.

    This policy only affects clipboard operations controlled by the clipboard site permission and doesn’t affect sanitized clipboard writes or trusted copy-and-paste operations.

    Policy options mapping:

    • BlockClipboard (2) = Do not allow any site to use the clipboard site permission
    • AskClipboard (3) = Allow sites to ask the user to grant the clipboard site permission

    Location:

    Administrative Templates/Microsoft Edge/
  • ClipboardAllowedForUrls

    Description: Configure the list of URL patterns that specify which sites can use the clipboard site permission.

    Setting the policy lets you create a list of URL patterns that specify which sites can use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission.

    Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies.

    Location:

    Administrative Templates/Microsoft Edge/
  • ClipboardBlockedForUrls

    Description: Configure the list of URL patterns that specify which sites can use the clipboard site permission.

    Setting the policy lets you create a list of URL patterns that specify sites that can’t use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission.

    Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies.

    Location:

    Administrative Templates/Microsoft Edge/
  • SearchFiltersEnabled

    Description: This policy lets you filter your autosuggestions by selecting a filter from the search filters ribbon. For example, if you select the “Favorites” filter, only favorites suggestions will be shown.

    If you enable or don’t configure this policy, the autosuggestion dropdown defaults to displaying the ribbon of available filters.

    If you disable this policy, the autosuggestion dropdown won’t display the ribbon of available filters.

    Location:

    Administrative Templates/Microsoft Edge/

Obsolete Policies

2 policies have become obsolete with Edge 109:

Security Enhancements

The following 14 security vulnerabilities have been addressed in Edge 109:

  1. CVE-2023-21775 – Remote Code Execution Vulnerability
  2. CVE-2023-21796 – Elevation of Privilege Vulnerability
  3. CVE-2023-0129 – Heap buffer overflow in Network Service
  4. CVE-2023-0130 – Inappropriate implementation in Fullscreen API
  5. CVE-2023-0131 – Inappropriate implementation in iframe Sandbox
  6. CVE-2023-0132 – Inappropriate implementation in Permission prompts
  7. CVE-2023-0133 – Inappropriate implementation in Permission prompts
  8. CVE-2023-0134 – Use after free in Cart
  9. CVE-2023-0135 – Use after free in Cart
  10. CVE-2023-0136 – Inappropriate implementation in Fullscreen API
  11. CVE-2023-0138 – Heap buffer overflow in libphonenumber
  12. CVE-2023-0139 – Insufficient validation of untrusted input in Downloads
  13. CVE-2023-0140 – Inappropriate implementation in File System API
  14. CVE-2023-0141 – Insufficient policy enforcement in CORS

Update to Edge 109

If you already have Microsoft Edge on your PC, you can simply upgrade it to the latest build using the guide given further down below. If not, use the links given in the next section to install it now.

Microsoft Edge comes preinstalled in Windows 11 and 10. Learn how to uninstall Microsoft Edge. If you wish to reinstall Edge, you can go here.

  1. Open About Microsoft Edge.

    About Microsoft Edge
    About Microsoft Edge

    Click on the ellipses in the top-right corner of the browser, expand Help and feedback, and then click About Microsoft Edge.

  2. Edge will automatically download and install the latest version. Click Restart when it’s done.

    Restart Edge
    Restart Edge

    Edge will now begin to scan for an update, and then download and install it if one is available. Once the download is completed, you will need to Restart the browser.

Once it relaunches, you can return to the About page and check that it has been updated to version 109.0.1518.52.

Edge updated
Edge updated

If you want to download Edge 109 for offline installation, you can visit the following page which lists several methods to download and upgrade your Microsoft Edge browser.

Download Microsoft Edge Browser.

Download Security Baseline for Microsoft Edge 109

Security baselines are Microsoft-recommended configuration settings that add an additional layer of security to your environment. However, Microsoft has made minor changes to Microsoft Edge v107 Security Baseline and it is still their recommended baseline for Edge 109, as noted in their announcement.

This Baseline now includes 7 new computer settings and 7 new user settings. The following table contains the details of the new security settings included in Edge v107 Security Baseline:

Security Setting ForDetailsLocation within Windows Registry
MachineAllow clipboard use on specific sitesHKLM\Software\Policies\Microsoft\Edge\ClipboardAllowedForUrls
MachineBlock clipboard use on specific sitesHKLM\Software\Policies\Microsoft\Edge\ClipboardBlockedForUrls
MachineDefault clipboard site permissionHKLM\Software\Policies\Microsoft\Edge!DefaultClipboardSetting
Machine(Deprecated) Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificatesHKLM\Software\Policies\Microsoft\Edge!MicrosoftRootStoreEnabled
MachineAllow listed sites to connect to specific HID devicesHKLM\Software\Policies\Microsoft\Edge!WebHidAllowDevicesForUrls
MachineAllow listed sites to connect to any HID deviceHKLM\Software\Policies\Microsoft\Edge\WebHidAllowAllDevicesForUrls
MachineAutomatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usageHKLM\Software\Policies\Microsoft\Edge!WebHidAllowDevicesWithHidUsagesForUrls
UserAllow clipboard use on specific sitesHKCU\Software\Policies\Microsoft\Edge\ClipboardAllowedForUrls
UserBlock clipboard use on specific sitesHKCU\Software\Policies\Microsoft\Edge\ClipboardBlockedForUrls
UserDefault clipboard site permissionHKCU\Software\Policies\Microsoft\Edge!DefaultClipboardSetting
User(Deprecated) Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificatesHKCU\Software\Policies\Microsoft\Edge!MicrosoftRootStoreEnabled
UserAllow listed sites to connect to specific HID devicesHKCU\Software\Policies\Microsoft\Edge!WebHidAllowDevicesForUrls
UserAllow listed sites to connect to any HID deviceHKCU\Software\Policies\Microsoft\Edge\WebHidAllowAllDevicesForUrls
UserAutomatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usageHKCU\Software\Policies\Microsoft\Edge!WebHidAllowDevicesWithHidUsagesForUrls
New security settings in Security Baseline for Edge 109

To gain more control over the browser and your PC, you can install this security baseline using the given steps:

  1. Open the page for Microsoft Security Compliance Toolkit 1.0 and click Download.

    download 1
    Download Microsoft Security Compliance Toolkit
  2. Select Microsoft Edge v107 Security Baseline.zip.

    Select Edge Security Baseline
    Select Edge Security Baseline

    Check the box next to Microsoft Edge v107 Security Baseline.zip (and any other baselines you may require) and then click Next.

  3. Extract the downloaded file.

    Extract the file
    Extract the file

    Your download should now begin. When downloaded, extract the files into a separate folder.

  4. Navigate to the following location with the extracted folder:

    Microsoft Edge v107 Security Baseline >> Scripts
  5. Run Baseline-LocalInstall with PowerShell.

    Run Security Baseline with PowerShell
    Run Security Baseline with PowerShell

    Right-click Baseline-LocalInstall and click on Run with PowerShell from the context menu.

    To run the baseline for Active Directory, you should run the Baseline-ADImport script instead.

The script will now run automatically. Wait for the PowerShell window to close on its own, and the security baseline for Microsoft Edge 109 will now be installed.

Conclusion

Microsoft Edge 109 does not introduce any significant new features. However, it does address some critical and high-level vulnerabilities that could potentially be exploited. Therefore, it is recommended that you update your Edge browser immediately to keep your system safe.

Microsoft Edge Update History

Edge VersionRelease DateFeatures
Edge 10913-Jan-2314 security updates, 8 new policies, and 2 deprecated policies.
Edge 1085-Dec-22Important security fixes, a new policy to disable Web Select amongst others.
Edge 10727-Oct-22Improved sidebar, new policies, and security fixes.
Edge 1063-Oct-22Improved web defense and increased the maximum number of search results to 4
Edge 1052-Sep-22Improvements to IE mode and enhanced security
Edge 1045-Aug-22Support to import data and enhanced security on the web
Edge 10323-Jun-22Improvements for online and web gaming
Edge 10231-May-22With reverse image search and security improvements
Edge 1001-Apr-22Sends 3-digit user agent string, PDF updates, and hardware-enforces stack protection
Edge 993-Mar-22Custom primary password and PDF navigation
Edge 984-Feb-22Edge Bar, reduced resource consumption
Edge 976-Jan-22Auto-citation, endpoint data loss prevention (DLP)
Edge 9610-Dec-21Super duper secure mode, typosquatting
Edge 9015-Apr-21SSO, PDF printing
Edge 8821-Jan-21Password generator, transparent privacy controls
Microsoft Edge history

Also see:

Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Leave a Reply

Your email address will not be published. Required fields are marked *