Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Microsoft Not Concerned About Disclosed Edge, IE Flaws

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Researcher James Lee last week published PoC exploits for same-origin policy (SOP) bypass vulnerabilities affecting Microsoft’s Internet Explorer and Edge web browsers. He said he had reported his findings to the company 10 months ago, but received no reply and the flaws remain unpatched.

“The issue described does not meet our criteria for servicing and requires an attacker to convince a victim to visit a malicious website,” a Microsoft spokesperson told SecurityWeek. “We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

The company has pointed users who may be concerned about these vulnerabilities to its online safety resources.

SOP is a mechanism designed to prevent websites from interacting with each other. However, Lee discovered flaws that can be exploited by a malicious site to obtain information from the URL of another website opened by a user.

Microsoft is not concerned about the impact of these vulnerabilities as it says the only type of information exposed via this method is the URL of a frame inside the same document.

Trend Micro has also conducted an analysis of the flaws and described them as “potentially very serious.”

Advertisement. Scroll to continue reading.

“Examples of vulnerable information that might be stored in the URL include cookies, sessionIDs, usernames, passwords, and OAUTH tokens, either in plaintext or hash form,” the security firm explained. “OAUTH is a way of authorizing third party applications to login to users’ online accounts, and has a history of being abused. Any sensitive information included in the URL of a website could be collected using these vulnerabilities.”

This was not the first time a researcher disclosed a SOP bypass flaw in Microsoft’s browsers after the company failed to release a patch.

In the meantime, Lee also disclosed a Content Security Policy (CSP) bypass vulnerability in Edge, but it’s unclear if Microsoft has been made aware of its existence and if it plans on patching it.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.