Microsoft To Roll Out Windows Patches For Privacy And Performance Leaks With Chrome Browser

Microsoft is hard at work on its new Chromium-based browser and delivered its first Chromium-based browser test build about a month ago. However, a big issue with the Chromium-based browsers has been discovered on Windows 10, and it can seriously impeded performance. The issues was brought to light by browser maker Vivaldi and a Google researcher; for its part, Microsoft is working on a fix for the issue.

The browser performance problem has to do with a Windows 10 security feature, but it's unclear if end-users of Chromium-based browsers are affected by the issue. The performance issue did pose enough of a challenge to Vivaldi that it appealed to Microsoft and Google for a fix. Microsoft's fix will be issued in the next Patch Tuesday update and the issue was initially reported in April. Google Chromium programmer Bruce Dawson has been able to trace the performance issue to a problem with a Windows 10 security feature called Control Flow Guard (CFG).

Vivaldi developer Yngve Pettersen discovered the performance issue after upgrading a Windows 7 Pro test cluster at the company to Windows 10. Petterson says that performance issues were noticed immediately with a test suite that had taken 100 minutes to run before the update extending to as long as 360 minutes to run afterward.

Petterson verified that the same problem existed on his home system. Dawson was able to trace the performance issue to a flaw in CreateProcesses on Windows 10 that quadruples every time the number of CFG functions doubles. Dawson did find that disabling CFG resolved the problem, but that isn't a fix that works in the real world.

Microsoft is also issuing a proposed fix for a privacy leak in Chromium Incognito Mode. The fix is something that Microsoft is contributing to the Chromium code base that powers several browsers including Edge and Chrome. The potential privacy leak that Microsoft is trying to fix occurs because Chromium didn't support Windows 10's IS_PRIVATE text input scope tag.

When using Incognito Mode, the Windows 10 keyboard would still learn from the information you typed during the Incognito session to improve the typing accuracy of the keyboard. That means that it would cache commonly used phrases, passwords, URLs and other bits of text and offer them up in other contexts. If you were using a shared computer to surf a dating website, there is a potential for the text you type there to turn up as auto-complete suggestions when using the computer for other tasks, a potentially very embarrassing issue for users.

Microsoft engineer Siye Lui has proposed that the input scope is set to IS_PRIVATE when the browser is in Incognito or guest modes on Windows 10. That change is currently in code review. Mozilla might worry about Microsoft's move to Chromium giving Google a browser monopoly, but Microsoft's participation is paying dividends in privacy already.