Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Microsoft Not Concerned About Disclosed Edge, IE Flaws

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Researcher James Lee last week published PoC exploits for same-origin policy (SOP) bypass vulnerabilities affecting Microsoft’s Internet Explorer and Edge web browsers. He said he had reported his findings to the company 10 months ago, but received no reply and the flaws remain unpatched.

“The issue described does not meet our criteria for servicing and requires an attacker to convince a victim to visit a malicious website,” a Microsoft spokesperson told SecurityWeek. “We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

The company has pointed users who may be concerned about these vulnerabilities to its online safety resources.

SOP is a mechanism designed to prevent websites from interacting with each other. However, Lee discovered flaws that can be exploited by a malicious site to obtain information from the URL of another website opened by a user.

Microsoft is not concerned about the impact of these vulnerabilities as it says the only type of information exposed via this method is the URL of a frame inside the same document.

Trend Micro has also conducted an analysis of the flaws and described them as “potentially very serious.”

“Examples of vulnerable information that might be stored in the URL include cookies, sessionIDs, usernames, passwords, and OAUTH tokens, either in plaintext or hash form,” the security firm explained. “OAUTH is a way of authorizing third party applications to login to users’ online accounts, and has a history of being abused. Any sensitive information included in the URL of a website could be collected using these vulnerabilities.”

This was not the first time a researcher disclosed a SOP bypass flaw in Microsoft’s browsers after the company failed to release a patch.

In the meantime, Lee also disclosed a Content Security Policy (CSP) bypass vulnerability in Edge, but it’s unclear if Microsoft has been made aware of its existence and if it plans on patching it.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.