Apple and Google Fix Browser Bug. Microsoft Does Not. (bleepingcomputer.com) 15
Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.
At least they're being honest now. (Score:4, Insightful)
Re: (Score:2)
It's not like Microsoft has ever been mistaken about security, right?
Right?
Re: (Score:2)
At the moment, the security of Microsoft products is vastly superior to that of Google and Apple. This is not 1999 anymore.
Re: (Score:2)
You really need to stop smoking crack before posting on Slashdot.
Good thing (Score:2)
Because Edge == IE 6 and it is not like Google ever refused to fix a bug while MS did first.
Why am I ever bother writing a reply here?
Re: (Score:2)
Why am I ever bother writing a reply here?
A) You're drunk
B) You're "compiling"
C) You're putting off something you need to do but don't wanna
Really, Edge? XSS-vulnerable by design? (Score:2)
An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.
Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?
Re: Really, Edge? XSS-vulnerable by design? (Score:2)
I suspect Microsoft relies on this "feature" in one of their products somewhere...
Re: Really, Edge? XSS-vulnerable by design? (Score:1)
Re: Really, Edge? XSS-vulnerable by design? (Score:1)
Where? (Score:2)
technical details available here
Here? Where?
For an internet news site you sure do have a shitty grasp of how the internet works.
Usually it's Apple... (Score:2)
Huh, usually it's Apple with the "Broken As Designed [stackoverflow.com] stuff, I guess Microsoft is playing catch up in that area too
;)
Well, it's only Edge (Score:2)
It's only Edge, so hardly anyone will be affected.