Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Microsoft Not Concerned About Disclosed Edge, IE Flaws

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.

Researcher James Lee last week published PoC exploits for same-origin policy (SOP) bypass vulnerabilities affecting Microsoft’s Internet Explorer and Edge web browsers. He said he had reported his findings to the company 10 months ago, but received no reply and the flaws remain unpatched.

“The issue described does not meet our criteria for servicing and requires an attacker to convince a victim to visit a malicious website,” a Microsoft spokesperson told SecurityWeek. “We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

The company has pointed users who may be concerned about these vulnerabilities to its online safety resources.

SOP is a mechanism designed to prevent websites from interacting with each other. However, Lee discovered flaws that can be exploited by a malicious site to obtain information from the URL of another website opened by a user.

Microsoft is not concerned about the impact of these vulnerabilities as it says the only type of information exposed via this method is the URL of a frame inside the same document.

Trend Micro has also conducted an analysis of the flaws and described them as “potentially very serious.”

“Examples of vulnerable information that might be stored in the URL include cookies, sessionIDs, usernames, passwords, and OAUTH tokens, either in plaintext or hash form,” the security firm explained. “OAUTH is a way of authorizing third party applications to login to users’ online accounts, and has a history of being abused. Any sensitive information included in the URL of a website could be collected using these vulnerabilities.”

Advertisement. Scroll to continue reading.

This was not the first time a researcher disclosed a SOP bypass flaw in Microsoft’s browsers after the company failed to release a patch.

In the meantime, Lee also disclosed a Content Security Policy (CSP) bypass vulnerability in Edge, but it’s unclear if Microsoft has been made aware of its existence and if it plans on patching it.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Register

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

Orchid Security has appointed a new Chief Product Officer and three advisors.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.