Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Internet Chrome Safari

Apple and Google Fix Browser Bug. Microsoft Does Not. (bleepingcomputer.com) 78

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.
This discussion has been archived. No new comments can be posted.

Apple and Google Fix Browser Bug. Microsoft Does Not.

Comments Filter:
  • by Duckeenie ( 4964511 ) on Friday September 08, 2017 @05:46PM (#55161789)
    Their products are insecure by design.
    • by zieroh ( 307208 )

      It's not like Microsoft has ever been mistaken about security, right?

      Right?

      • ...that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

        Yeah right, sounds like Microsoft indeed.

    • blame the ceo from india.
  • Because Edge == IE 6 and it is not like Google ever refused to fix a bug while MS did first.

    Why am I ever bother writing a reply here?

    • Why am I ever bother writing a reply here?

      A) You're drunk
      B) You're "compiling"
      C) You're putting off something you need to do but don't wanna

      • by lucm ( 889690 )

        A) You're drunk
        B) You're "compiling"
        C) You're putting off something you need to do but don't wanna

        Here's the 2017 version.

        A) You're triggered
        B) You're "docker pulling"
        C) You've withdrawn from real world interaction

      • D) You're Dutch.
        • Ya got me.

          • A few years ago an older guy from Holland, therefore a Dutch guy, while they call their country The Netherlands -- pfff, can it be any more complicated? -- called me a 'snotneus'.
            I said: "What?". And in bad English he said: "snotnose".
            Maybe even it was you. ;)
            • If it was me, I likely would have called you a kleine snotneus. But I think that insult may be a genetic trait of the Dutch, along with thriftiness. You know how copper wire was invented, right? Two Dutchmen were fighting over a penny...

              • First, it were two Scotch men, and second: 'kleine' (= little) would on average be correct as the Dutch tend to be the tallest people in the world (again, on average).
  • by intellitech ( 1912116 ) on Friday September 08, 2017 @06:05PM (#55161853)

    An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.

    Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

    • I suspect Microsoft relies on this "feature" in one of their products somewhere...

    • Is there some archaic manner of loading certain sites which requires they be loaded into a blank page? Or is there some requirement of a link somewhere, which Microsoft provides support for, that cannot be loaded with different restrictions by any other means than an exploit? Something about Microsoft thinks users are to dumb to tie their own shoes perhaps?
    • by Kjella ( 173770 )

      Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

      I can't begin to phantom where the thought process comes form, but developers do the stupidest shit to make things work right now. Whether it's documented behavior, undocumented behavior, bugs, unintentional side effects, race conditions or whatever Microsoft has probably found that some developers have used this in a non-malicious way because drumroll it works. And that's really the whole of the story, if you break it you don't just break malware authors you break some website that paid idiot developers or

    • by lucm ( 889690 )

      It's not clear in the description (I suspect the person who wrote it doesn't know how web pages work) but this just means opening a link that has a "_blank" target (new window/tab).

      This is just clickbait as usual.

    • Well I can see poorly coded websites doing that to programmatically build up frames. Yes, writing JAVASCRIPT into a frame is odd, but I could see it happening. But when you navigate a frame everything that was in the old page should be unloaded. Old JavaScript, especially from a different origin, should not continue to run!
    • An attacker only needs to open a new page via the âoe_blankâ method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content â" the code to execute a banal XSS attack â" remains, and helps the attacker bypass CSP protections.

      Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

      TFA is weak on details... what this all seems to be about has been known for a very long time.

      By blank I assume they mean an HREF with a TARGET of _blank but not really limited to blank just any target that opens a new window.

      What happens is when you link to the remote site if that site is malicious it can call back into the web page that opened it using "opener" like JS reference crap and modify or do shit in the window that called you.

      For example your banking website provides a list of hyperlinks to third

    • You can build a new window altogether in JavaScript, apparently, with no HTTP requests taking place. I think this is what your quote refers to.

      See the javascript at e.g. sheldon brown's bicycle gear calculator page [sheldonbrown.com], line 422 (function showit()) and forward.

      It basically uses document.write to build the whole pop-up results window.

      (Yes, I was surprised to learn that such a thing was possible.)

    • Opening a page with "_blank" target doesn't open a blank page; it open a page in a new tab/window. It's super common, and is often used to open link to external sites without losing the current page (it's somewhat seen as a UX nightmare for some people).
      So it's not just allowing a blank page to run foreign JavaScript, it's allowing any real page, following "correct looking" URL to run foreign JavaScript.

      For reference, an "about:blank" is what you'd want if you want to open a blank page. But the article c
  • Genuine problem (Score:2, Informative)

    by Anonymous Coward

    The attack is to open a blank page in JS, insert your malicious code, then load the victim website. Oh look, your malicious code can run.

    MSRC needs a bigger bat to force the IE team to fix this. But they have little influence in the company, which is why logging out of Microsoft websites doesn't invalidate your cookie; you can still use that old cookie to stay logged in. By Design, of course.

  • technical details available here

    Here? Where?

    For an internet news site you sure do have a shitty grasp of how the internet works.

    • by fisted ( 2295862 )

      grasp of how the www works.

      FTFY

      • by tepples ( 727027 )

        With firewalls in so many places blocking everything but 443 and 80 out, and with device makers blocking native apps from their walled gardens based on ambiguous content criteria, www is the Internet as end users experience it.

  • Huh, usually it's Apple with the "Broken As Designed [stackoverflow.com] stuff, I guess Microsoft is playing catch up in that area too ;)

  • It's only Edge, so hardly anyone will be affected.

  • windows 10 S you fail again just wait for EU smack down.

      iOS is locked to WebKit

  • If you don't use the latest macOS version, you can't upgrade to the latest version of Safari.

  • Edge is suppose to be NEW browser but from the mozilla/firefox page it is one of those none standard IE "features". https://developer.mozilla.org/... [mozilla.org]
  • by Anonymous Coward

    sure, this time the people at NSA and CIA gave a court order to the sorry people at Microsoft, and they weren't allowed to fix the bug, but there are a dozen of these hiding in the other browsers, kept there by the same kind of court orders.

    If it's American, then it's back-doored by design. That's what you need to start telling people.

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...