Edge Browser Vulnerabilities

Question

Why are my organizations PCs all reporting multiple vulnerabilities for the Edge browser when there is no available update?

Answer 1

No one here can figure out why your computers are reporting vulnerabilities. We don't know anything about the computers involved or the vulnerabilities being reported. I suggest bringing someone onsite who can examine those computers.

Answer 2

Security tools typically flag known Microsoft Edge CVEs when the underlying Windows/Edge build does not yet contain the cumulative security update that fixes them. For Edge on Windows 10/11, those fixes are delivered as part of regular Windows cumulative updates, not as a separate Edge-only security patch.

From the provided security bulletins and KB articles, Edge vulnerabilities (memory corruption, security feature bypass, etc.) are remediated by installing the corresponding cumulative security update for Windows/Edge, for example:

• MS16-024, MS16-038, MS16-085, MS16-096, MS16-129 describe multiple Microsoft Edge memory corruption and security feature bypass vulnerabilities that allow remote code execution or policy bypass when a user visits a specially crafted webpage.
• The associated KBs (for example, 3140745, 3140768, 3176492, 3176493, 3176495, 3198585, 3198586, 3200970) are cumulative Windows updates that include the Edge fixes.

If all PCs report Edge vulnerabilities but “no update is available,” the usual causes are:

1. The machines are not actually on the latest cumulative update for their Windows build.
   • Edge security fixes are bundled into the monthly cumulative updates (e.g., “Cumulative update for Windows 10…”). Until those are installed, scanners will continue to report the CVEs.
2. The environment is on a build that no longer receives security updates.
   • Once a Windows version is out of support, there are no newer cumulative updates to deliver Edge fixes, so tools will still report vulnerabilities while Windows Update shows nothing new.
3. Update channels or policies are delaying or blocking the relevant cumulative update.
   • WSUS/ConfigMgr/Intune or local policies may be holding back the latest cumulative update that contains the Edge fixes.

To resolve the discrepancy:

1. Verify the exact Windows build and cumulative update level on affected PCs.
2. Compare that build to the latest cumulative update available for that version (for example, the KBs listed in the Edge security update articles).
3. Ensure the latest cumulative update for the in-support Windows version is approved and installed on all devices.
4. If the OS version is out of support, plan an upgrade to a supported Windows build so that newer Edge security fixes can be applied.

Once the appropriate cumulative Windows updates that include the Edge fixes are installed, vulnerability scanners should stop reporting those Edge CVEs for the updated machines.

---

References:

• MS16-085: Microsoft Security Bulletin MS16-085 - Critical
• MS17-007: Microsoft Security Bulletin MS17-007 - Critical
• MS16-038: Microsoft Security Bulletin MS16-038 - Critical
• MS16-096: Microsoft Security Bulletin MS16-096 - Critical
• MS15-113: Microsoft Security Bulletin MS15-113 - Critical
• MS16-129: Cumulative security update for Microsoft Edge: November 8, 2016
• MS16-024: Cumulative security update for Microsoft Edge: March 8, 2016
• MS16-096: Cumulative security update for Microsoft Edge: August 9, 2016