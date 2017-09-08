Become a fan of Slashdot on Facebook

 


Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

Apple and Google Fix Browser Bug. Microsoft Does Not.

  • At least they're being honest now. (Score:5, Insightful)

    by Duckeenie ( 4964511 ) on Friday September 08, 2017 @06:46PM (#55161789)
    Their products are insecure by design.

  • Because Edge == IE 6 and it is not like Google ever refused to fix a bug while MS did first.

    Why am I ever bother writing a reply here?

    • Why am I ever bother writing a reply here?

      A) You're drunk
      B) You're "compiling"
      C) You're putting off something you need to do but don't wanna

      • Re: (Score:2)

        by lucm ( 889690 )

        A) You're drunk
        B) You're "compiling"
        C) You're putting off something you need to do but don't wanna

        Here's the 2017 version.

        A) You're triggered
        B) You're "docker pulling"
        C) You've withdrawn from real world interaction

  • Really, Edge? XSS-vulnerable by design? (Score:4, Interesting)

    by intellitech ( 1912116 ) on Friday September 08, 2017 @07:05PM (#55161853)

    An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.

    Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

    • I suspect Microsoft relies on this "feature" in one of their products somewhere...

    • Is there some archaic manner of loading certain sites which requires they be loaded into a blank page? Or is there some requirement of a link somewhere, which Microsoft provides support for, that cannot be loaded with different restrictions by any other means than an exploit? Something about Microsoft thinks users are to dumb to tie their own shoes perhaps?

    • Re: (Score:2)

      by Kjella ( 173770 )

      Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

      I can't begin to phantom where the thought process comes form, but developers do the stupidest shit to make things work right now. Whether it's documented behavior, undocumented behavior, bugs, unintentional side effects, race conditions or whatever Microsoft has probably found that some developers have used this in a non-malicious way because drumroll it works. And that's really the whole of the story, if you break it you don't just break malware authors you break some website that paid idiot developers or

    • Re: (Score:2)

      by lucm ( 889690 )

      It's not clear in the description (I suspect the person who wrote it doesn't know how web pages work) but this just means opening a link that has a "_blank" target (new window/tab).

      This is just clickbait as usual.

    • Well I can see poorly coded websites doing that to programmatically build up frames. Yes, writing JAVASCRIPT into a frame is odd, but I could see it happening. But when you navigate a frame everything that was in the old page should be unloaded. Old JavaScript, especially from a different origin, should not continue to run!

  • Genuine problem (Score:2, Informative)

    by Anonymous Coward

    The attack is to open a blank page in JS, insert your malicious code, then load the victim website. Oh look, your malicious code can run.

    MSRC needs a bigger bat to force the IE team to fix this. But they have little influence in the company, which is why logging out of Microsoft websites doesn't invalidate your cookie; you can still use that old cookie to stay logged in. By Design, of course.

  • technical details available here

    Here? Where?

    For an internet news site you sure do have a shitty grasp of how the internet works.

  • Huh, usually it's Apple with the "Broken As Designed [stackoverflow.com] stuff, I guess Microsoft is playing catch up in that area too ;)

  • It's only Edge, so hardly anyone will be affected.

  • windows 10 S you fail again just wait for EU smack down.

      iOS is locked to WebKit

