Microsoft Edge

Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively.

According to Cisco Talos researcher Nicolai Grødum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers.

Grødum says that he found a way to bypass CSP — technical details available here — that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users’ cookies, or logging keystrokes inside the page’s forms, and others.

Exploiting flaw is moderately simple

Exploiting the flaw is somewhat simple — at least for people with background in web development. An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.

The researcher found the flaw last year in November. The issue has a CVSS severity score of 4.3 out of 10.

Summarizing, Edge users are still vulnerable to this flaw, while users employing Google Chrome 57.0.2987.98, iOS 10.3, and Safari 10.1 or later are all protected. Firefox is not affected.