Microsoft Edge

Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively.

According to Cisco Talos researcher Nicolai Grødum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers.

Grødum says that he found a way to bypass CSP — technical details available here — that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users’ cookies, or logging keystrokes inside the page’s forms, and others.

Exploiting flaw is moderately simple

Exploiting the flaw is somewhat simple — at least for people with background in web development. An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.

The researcher found the flaw last year in November. The issue has a CVSS severity score of 4.3 out of 10.

Summarizing, Edge users are still vulnerable to this flaw, while users employing Google Chrome 57.0.2987.98, iOS 10.3, and Safari 10.1 or later are all protected. Firefox is not affected.

Related Articles:

Google Chrome to Remove “Secure” Indicator From HTTPS Pages in September

Google Fixes Issue That Broke Millions of Web-Based Games in Chrome

Chrome Tests Picture-in-Picture API to Show Floating Video Popups Outside the Browser

Google Says Chrome Now Blocks "About Half of Unwanted Autoplays"

Microsoft's Windows 10 "April 2018 Update" Being Released on Monday