Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Microsoft Not Concerned About Disclosed Edge, IE Flaws

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Researcher James Lee last week published PoC exploits for same-origin policy (SOP) bypass vulnerabilities affecting Microsoft’s Internet Explorer and Edge web browsers. He said he had reported his findings to the company 10 months ago, but received no reply and the flaws remain unpatched.

“The issue described does not meet our criteria for servicing and requires an attacker to convince a victim to visit a malicious website,” a Microsoft spokesperson told SecurityWeek. “We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

The company has pointed users who may be concerned about these vulnerabilities to its online safety resources.

SOP is a mechanism designed to prevent websites from interacting with each other. However, Lee discovered flaws that can be exploited by a malicious site to obtain information from the URL of another website opened by a user.

Microsoft is not concerned about the impact of these vulnerabilities as it says the only type of information exposed via this method is the URL of a frame inside the same document.

Trend Micro has also conducted an analysis of the flaws and described them as “potentially very serious.”

“Examples of vulnerable information that might be stored in the URL include cookies, sessionIDs, usernames, passwords, and OAUTH tokens, either in plaintext or hash form,” the security firm explained. “OAUTH is a way of authorizing third party applications to login to users’ online accounts, and has a history of being abused. Any sensitive information included in the URL of a website could be collected using these vulnerabilities.”

Advertisement. Scroll to continue reading.

This was not the first time a researcher disclosed a SOP bypass flaw in Microsoft’s browsers after the company failed to release a patch.

In the meantime, Lee also disclosed a Content Security Policy (CSP) bypass vulnerability in Edge, but it’s unclear if Microsoft has been made aware of its existence and if it plans on patching it.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...