Apple and Google Fix Browser Bug. Microsoft Does Not.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

At least they're being honest now.

[Duckeenie]

Their products are insecure by design.

Re:

[ddtmm]

TL:DR

Re:

[zieroh]

It's not like Microsoft has ever been mistaken about security, right?

Right?

Re:At least they're being honest now.

[zieroh]

You really need to stop smoking crack before posting on Slashdot.

Re:

[lucm]

top 10 products with highest number of CVE:

1 Linux Kernel Linux OS 1930
2 Mac Os X Apple OS 1890
3 Chrome Google Application 1453
4 Firefox Mozilla Application 1438
5 Iphone Os Apple OS 1274
6 Android Google OS 1255
7 Flash Player Adobe Application 1035
8 Debian Linux Debian OS 1022
9 Windows Server 2008 Microsoft OS 956
10 Safari Apple Application

https://www.cvedetails.com/top... [cvedetails.com]

Re:

[lucm]

Those were "all time leaders". Here's the current year:

1 Android Google OS 564
2 Linux Kernel Linux OS 366
3 Imagemagick Imagemagick Application 303
4 Iphone Os Apple OS 290
5 Mac Os X Apple OS 210

Re:

[gnunick]

Hahaha! Nice job with your selective editing.

Gee, in a comparison to the all-time top 10, why would you list only the top 5 for 2017?

I think we both know the answer. The hell you didn't see 'em, indeed.

Re:

[bondsbw]

They break down Windows by version (unlike the others on the list), so they show as the next 6 items. But those versions are all based on the same code. They tend to share most exploits and fixes for versions that are supported in the same year.

Re:

[Anonymous Coward]

They break down Windows by version (unlike the others on the list), so they show as the next 6 items. But those versions are all based on the same code. They tend to share most exploits and fixes for versions that are supported in the same year.

This; the comments we get from the MS shills in these threads are almost worse than the bugs themselves. Although it's much better than Windows I don't want to defend Linux because OpenBSD is better in some ways and the Linux people should learn more from that, however Linus doesn't try to pretend there are five different products called Linux to try to change the order of the lists. He also doesn't pay trolls to come around forums lying about his product. If the producer of a product has to lie about t

Re:At least they're being honest now.

[gnunick]

Okay, since we're talking about recent history ("at the moment", as you said), how about we have a look at recent CVE "scores", not the all-time list that you pasted in?

Here's the top of the "winners" list for 2017:

1 Android Google OS 564
2 Linux Kernel Linux OS 366
3 Imagemagick Imagemagick Application 303
4 Iphone Os Apple OS 290
5 Mac Os X Apple OS 210
6 Windows 10 Microsoft OS 195
7 Windows Server 2008 Microsoft OS 187
8 Windows Server 2016 Microsoft OS 183
9 Windows Server 2012 Microsoft OS 176
10 Windows 7 Microsoft OS 174

But just for fun let's see #11:
11 Windows 8.1 Microsoft OS 167
(on the "all-time" list you pasted in, #11 would have been Internet Explorer)

source:
https://www.cvedetails.com/top... [cvedetails.com]

Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).

So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.

Re:

[sexconker]

Why would you add them up across Windows7, 8, etc.? Just to get a bigger number by counting the same vulnerability multiple times?
With that logic, you'd be counting each Android vulnerability once for each Android build it occurs in.

Re:

[gnunick]

Why would you add them up across Windows7, 8, etc.? Just to get a bigger number by counting the same vulnerability multiple times?
With that logic, you'd be counting each Android vulnerability once for each Android build it occurs in.

Um, gee... where do I start? I mean really, do you see Android (or any non-Microsoft product) broken down by version in that list? It seems to me that for a (lowercase) apples-to-apples comparison, adding up the counts for every version of Windows would be the only fair way to compare it to any OS (or Kernel) which isn't listed with a similar version-by-version breakdown.

In any case, the total number of CVEs for Windows in the top 10 had little to do with the premise of my post, which was a rebuttal to an i

Re:

[tomxor]

Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).

So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.

You're missing the point, recent history or not... total CVEs discovered does not matter, all that matters is total number of unpatched, open source will always have more CVEs. This difference for once clearly stated in the headline. And the result is that if you want to use Microsoft products you are expected to use antivirus, because they would rather you keep bailing out water than bother pluging the holes, M$ most common answer is: "Wont Fix"

Re:

[gnunick]

No, I'm not missing the point. You're totally right.

But there is no run-down of patched-vs-unpatched status listed on that site, the source of a ridiculous argument that I was rebutting. My only point was that his (?) argument was ridiculous. Sorry to have provided a red herring by doing any dubious math.

Re:

[tomxor]

Ah ok... yes I couldn't find any stats about the state of open CVEs either, which is quite frustrating.

Re:

[David_Hart]

Okay, since we're talking about recent history ("at the moment", as you said), how about we have a look at recent CVE "scores", not the all-time list that you pasted in?

Here's the top of the "winners" list for 2017:

1 Android Google OS 564
2 Linux Kernel Linux OS 366
3 Imagemagick Imagemagick Application 303
4 Iphone Os Apple OS 290
5 Mac Os X Apple OS 210
6 Windows 10 Microsoft OS 195
7 Windows Server 2008 Microsoft OS 187
8 Windows Server 2016 Microsoft OS 183
9 Windows Server 2012 Microsoft OS 176
10 Windows 7 Microsoft OS 174

But just for fun let's see #11:
11 Windows 8.1 Microsoft OS 167
(on the "all-time" list you pasted in, #11 would have been Internet Explorer)

source:
https://www.cvedetails.com/top... [cvedetails.com]

Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).

So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.

Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.

Re:At least they're being honest now.

[sysrammer]

Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.

I'll bet you'd win. This indicates that MS doesn't fix their bugs over multiple releases.

Re:

[gnunick]

Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.

Very true, but the premise of my argument was in the previous sentence. So sorry I included that last line. My argument required no calculations.

To return the point of discussion, I suggest you scroll to the bottom of https://www.cvedetails.com/top... [cvedetails.com] where you'll see the list of Total Number Of Vulnerabilities Of Top 50 Products By Vendor for 2017. I don't know how cvedetails.com does its math (nor do I know why they break down Windows by version, but not Android, etc.). Maybe they're also double-counting

Re:

[Zemran]

It is more than a little disingenuous that they list "the Linux kernel" and "OSX" as single items yet split Windows into separate versions to minimise its ranking. If you add the separate versions of Windows together as they have done with Linux and OSX, Windows goes off the scale.

Re:

[Cley Faye]

That's the number of publicly known/published vulnerabilities. We know (and it has been proven true) that a lot of vulnerabilities are secretly kept when discovered.
Looking at it another way, I could say "look at how many flaws were fixed in the linux kernel, Mac Os X, Chrome and Firefox, and look at how many were fixed in MS products". Listing CVE says nothing about the actual number of vulnerabilities, only about their disclosure.

Re:

[ElizabethGreene]

Is it common for vendors other than Microsoft to file a CVE for flaws that are discovered internally even if there is no public release and telemetry indicates no exploits in the wild, or for privately disclosed vulnerabilities with no public release?

This is not trolling; I'm actually curious to know. If that's not a common practice then it would be difficult to make an apples-to-apples comparison.

(I work for Microsoft, but this isn't part of the work I normally do.)

Re:

[Cley Faye]

No idea, but that's the point. Citing CVE (or any equivalent) listings as a "security gauge" is silly one way or another. And even if such list was relevant as to how secure a piece of software is, it would still be irrelevant in the real world, because you'd have to take into account how feasible each vuln. is, how effective it is, and how many systems are at risks.
The main difference between closed-source and open-source here is that one allows for more eyeballs than the other; it doesn't mean that more

Re:

[lucm]

No idea, but that's the point. Citing CVE (or any equivalent) listings as a "security gauge" is silly one way or another.

As opposed to just say "there must be secret bugs they don't tell us about"? How do you rank that? Arbitrary suspicion factor based on your own guesswork?

Re:

[Cley Faye]

I don't rank that. I don't have to. I wrote (but you omited that part in your quote) that there's no absolute way to say that one piece of software is better than another security wise, and that the only thing openness bring to the table is the ability for anyone to look into it.
I didn't say (here or anywhere else) "there must be secret bugs they don't tell us about" so I don't see why you're asking me this, aside from trying to stir a fruitless "discussion".

Re:

[gweihir]

Meaningless statistic is meaningless. And the one posting it is stupid.

Re:

[lucm]

Meaningless statistic is meaningless. And the one posting it is stupid.

Then why don't you provide meaningful content instead of just bitching about things? Oh wait, I know why.

Re:

[gweihir]

You make one mistake here: You think that educating the likes of you is worthwhile. I have tried and know better. Arrogant and stupid is sure-fire way to become resistant to insight.

Just one point: Anybody with some actual understanding knows that counting-metrics only make sense if the things counted are quite similar. Even a brief look at some random sample of CVEs immediately shows that this is not at all the case here and that counting is meaningless for the case at hand. Hence anybody promoting a count

Re:

[lucm]

Hence anybody promoting a counting-metric here is extremely disconnected from reality

Actually, it's people who say "counting-metric" that are disconnected from reality since it means nothing. Is it some kind of direct translation from Polish or whatever retarded language you speak?

Anyways, there's no reason for you to throw a tantrum. Why don't you remove the stick you've got up your ass and contribute something to the discussion? You're not funny, you're not witty, and you're not good at being smug; stick to real content.

Re:

[zieroh]

top 10 products with highest number of CVE:

You use data like a drunk uses a lamp post: for support, rather than illumination.

You're also a dishonest shill. Go fuck yourself.

pinterest is that way --->

[lucm]

You use data like a drunk uses a lamp post: for support, rather than illumination.

I'm sure you've been waiting for an opportunity to shoehorn that little inspirational nugget in one of your comments. Unfortunately, it doesn't work as well as you would have hoped because

1) it sounds as corny as the text in a discount Hallmark Get Well Soon card
and
2) I didn't "use data", I merely copy-pasted stuff from the first result that comes up when one googles "top 10 cve", which even by your self-righteous, biased standards can hardly be construed as being dishonest

I don't want to prevent you from l

Re:pinterest is that way ---

[zieroh]

I'm sure you've been waiting for an opportunity to shoehorn that little inspirational nugget in one of your comments.

I rarely have to wait for very long before some hapless turd wanting to score snarkpoints on [_fill_in_discussion_forum_here_] ambles along and demonstrates a piss-poor understanding of what facts are and what they mean. I've used the term many times before.

Unfortunately, it doesn't work as well as you would have hoped because [meaningless argle-bargle]

Get over yourself. It was a direct hit. The only one here who maybe doesn't understand that is you.

2) I didn't "use data", I merely copy-pasted stuff from the first result that comes up when one googles "top 10 cve"

A meaningless distinction if ever there was one.

As others have noted, Windows is largely split across multiple versions, while virtually nothing else is. T

Re:

[slashrio]

...that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

Yeah right, sounds like Microsoft indeed.

Re: At least they're being honest now.

[dougdonovan]

blame the ceo from india.

Good thing

[Billly Gates]

Because Edge == IE 6 and it is not like Google ever refused to fix a bug while MS did first.

Why am I ever bother writing a reply here?

Re:

[Snotnose]

Why am I ever bother writing a reply here?

A) You're drunk
B) You're "compiling"
C) You're putting off something you need to do but don't wanna

Re:

[lucm]

A) You're drunk
B) You're "compiling"
C) You're putting off something you need to do but don't wanna

Here's the 2017 version.

A) You're triggered
B) You're "docker pulling"
C) You've withdrawn from real world interaction

Re:

[slashrio]

D) You're Dutch.

Re:

[Dutch Gun]

Ya got me.

Re:

[slashrio]

A few years ago an older guy from Holland, therefore a Dutch guy, while they call their country The Netherlands -- pfff, can it be any more complicated? -- called me a 'snotneus'.
I said: "What?". And in bad English he said: "snotnose".
Maybe even it was you. ;)

Re:

[Dutch Gun]

If it was me, I likely would have called you a kleine snotneus. But I think that insult may be a genetic trait of the Dutch, along with thriftiness. You know how copper wire was invented, right? Two Dutchmen were fighting over a penny...

Re:

[slashrio]

First, it were two Scotch men, and second: 'kleine' (= little) would on average be correct as the Dutch tend to be the tallest people in the world (again, on average).

Really, Edge? XSS-vulnerable by design?

[intellitech]

An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.

Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

Re: Really, Edge? XSS-vulnerable by design?

[corychristison]

I suspect Microsoft relies on this "feature" in one of their products somewhere...

Re: Really, Edge? XSS-vulnerable by design?

[Monster_user]

Office 365?

Re: Really, Edge? XSS-vulnerable by design?

[Monster_user]

Is there some archaic manner of loading certain sites which requires they be loaded into a blank page? Or is there some requirement of a link somewhere, which Microsoft provides support for, that cannot be loaded with different restrictions by any other means than an exploit? Something about Microsoft thinks users are to dumb to tie their own shoes perhaps?

Re:

[Kjella]

Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

I can't begin to phantom where the thought process comes form, but developers do the stupidest shit to make things work right now. Whether it's documented behavior, undocumented behavior, bugs, unintentional side effects, race conditions or whatever Microsoft has probably found that some developers have used this in a non-malicious way because drumroll it works. And that's really the whole of the story, if you break it you don't just break malware authors you break some website that paid idiot developers or

Re:

[lucm]

It's not clear in the description (I suspect the person who wrote it doesn't know how web pages work) but this just means opening a link that has a "_blank" target (new window/tab).

This is just clickbait as usual.

Re:

[The MAZZTer]

Well I can see poorly coded websites doing that to programmatically build up frames. Yes, writing JAVASCRIPT into a frame is odd, but I could see it happening. But when you navigate a frame everything that was in the old page should be unloaded. Old JavaScript, especially from a different origin, should not continue to run!

Re:

[WaffleMonster]

An attacker only needs to open a new page via the âoe_blankâ method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content â" the code to execute a banal XSS attack â" remains, and helps the attacker bypass CSP protections.

Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

TFA is weak on details... what this all seems to be about has been known for a very long time.

By blank I assume they mean an HREF with a TARGET of _blank but not really limited to blank just any target that opens a new window.

What happens is when you link to the remote site if that site is malicious it can call back into the web page that opened it using "opener" like JS reference crap and modify or do shit in the window that called you.

For example your banking website provides a list of hyperlinks to third

Re:

[gustygolf]

You can build a new window altogether in JavaScript, apparently, with no HTTP requests taking place. I think this is what your quote refers to.

See the javascript at e.g. sheldon brown's bicycle gear calculator page [sheldonbrown.com], line 422 (function showit()) and forward.

It basically uses document.write to build the whole pop-up results window.

(Yes, I was surprised to learn that such a thing was possible.)

Re:

[Cley Faye]

Opening a page with "_blank" target doesn't open a blank page; it open a page in a new tab/window. It's super common, and is often used to open link to external sites without losing the current page (it's somewhat seen as a UX nightmare for some people).
So it's not just allowing a blank page to run foreign JavaScript, it's allowing any real page, following "correct looking" URL to run foreign JavaScript.

For reference, an "about:blank" is what you'd want if you want to open a blank page. But the article c

Genuine problem

[Anonymous Coward]

The attack is to open a blank page in JS, insert your malicious code, then load the victim website. Oh look, your malicious code can run.

MSRC needs a bigger bat to force the IE team to fix this. But they have little influence in the company, which is why logging out of Microsoft websites doesn't invalidate your cookie; you can still use that old cookie to stay logged in. By Design, of course.

Where?

[wonkey_monkey]

technical details available here

Here? Where?

For an internet news site you sure do have a shitty grasp of how the internet works.

Re:

[fisted]

grasp of how the www works.

FTFY

Re:

[tepples]

With firewalls in so many places blocking everything but 443 and 80 out, and with device makers blocking native apps from their walled gardens based on ambiguous content criteria, www is the Internet as end users experience it.

Usually it's Apple...

[Ecuador]

Huh, usually it's Apple with the "Broken As Designed [stackoverflow.com] stuff, I guess Microsoft is playing catch up in that area too ;)

Re:

[Ecuador]

As a software engineer, it was a common pattern when I was working with iOS. The example was one that came quickly to my mind in a form that I could easily search and post. I even had issues as a user, e.g. for about 2 years Apple had broken support if you had a Mac Pro with upgraded graphics and a multi-monitor setup with a mix of landscape and portrait mode monitors. Their reply to the bug reports was something akin to "if you have that kind of setup, you're doing it wrong". Of course you could also say t

Well, it's only Edge

[JohnFen]

It's only Edge, so hardly anyone will be affected.

windows 10 S you fail again just wait for EU smack

[Joe_Dragon]

windows 10 S you fail again just wait for EU smack down.

  iOS is locked to WebKit

Safari not patched

[DontBeAMoran]

If you don't use the latest macOS version, you can't upgrade to the latest version of Safari.

MS stop keeping IE features.

[bongey]

Edge is suppose to be NEW browser but from the mozilla/firefox page it is one of those none standard IE "features". https://developer.mozilla.org/... [mozilla.org]

Not just Microsoft

[Anonymous Coward]

sure, this time the people at NSA and CIA gave a court order to the sorry people at Microsoft, and they weren't allowed to fix the bug, but there are a dozen of these hiding in the other browsers, kept there by the same kind of court orders.

If it's American, then it's back-doored by design. That's what you need to start telling people.